From 91e65fdf6154f8f373b70d07432c47c4ddfec0f0 Mon Sep 17 00:00:00 2001 From: Ioannis Igoumenos Date: Thu, 9 Feb 2023 17:14:53 +0200 Subject: [PATCH] Allow User with Session to by pass basic auth when making ajax requests (#69) --- .../Component/RegistryAuthComponent.php | 26 +++++++++++-------- app/webroot/js/comanage/comanage.js | 3 --- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/app/src/Controller/Component/RegistryAuthComponent.php b/app/src/Controller/Component/RegistryAuthComponent.php index 1906915fc..b59f0511a 100644 --- a/app/src/Controller/Component/RegistryAuthComponent.php +++ b/app/src/Controller/Component/RegistryAuthComponent.php @@ -129,8 +129,19 @@ public function beforeFilter(EventInterface $event) { } // Perform authorization check - - if($this->getConfig('apiUser')) { + + // Do we have an authenticated user session? + + // Note we don't stuff anything into the session anymore, the only attribute + // is the username, which is actually loaded by login.php. + + $auth = $session->read('Auth'); + + // Registry UI is now a hybrid implementation of VUE and CAKEPHP MVC. + // In order to allow a logged-in user to reach out to the backend without + // the need of an API User, but just with the use of the Session, we will + // skip the API user authorization if a user Session is available. + if(empty($auth) && $this->getConfig('apiUser')) { // There are no unauthenticated API calls, so always require a valid user try { @@ -177,16 +188,9 @@ public function beforeFilter(EventInterface $event) { if($controller->getName() == 'Pages') { return true; } - - // Do we have an authenticated user session? - - // Note we don't stuff anything into the session anymore, the only attribute - // is the username, which is actually loaded by login.php. - - $auth = $session->read('Auth'); - + if(!empty($auth['external']['user'])) { - // We have a valid user name that is *authenticated* for the current request. + // We have a valid username that is *authenticated* for the current request. // Note we haven't checked authorization, but this is how the authorization // checks can get the authenticated username. $controller->set('vv_user', ['username' => $auth['external']['user']]); diff --git a/app/webroot/js/comanage/comanage.js b/app/webroot/js/comanage/comanage.js index 3bfa27fa4..0dd271a1b 100644 --- a/app/webroot/js/comanage/comanage.js +++ b/app/webroot/js/comanage/comanage.js @@ -254,9 +254,6 @@ function callRegistryAPI( url: apiUrl, method: httpMethod, dataType: dataType, - headers: { - "Authorization": "Basic " + btoa("co_1.xhruser:vkam-9163-jwjp-4732") - }, data: data, encode: true })