From 45ca48c235e1ac4634799231dff0962fce2e3fbf Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 19 Mar 2023 14:15:50 +0100 Subject: [PATCH] Allow multiple usernames when using HTTP authentication for the admin interface Changed $cfg['admin_http_auth_user'] to an array to provide multiple usernames. The option to provide a string here is preserved for backward compatibility. --- admin.php | 3 ++- lib/config.original.php | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/admin.php b/admin.php index 0f8967f..09bded5 100644 --- a/admin.php +++ b/admin.php @@ -64,7 +64,8 @@ if (php_sapi_name() == "cli") { if (!jirafeau_admin_session_logged()) { /* Test HTTP authentication. */ if (!empty($cfg['admin_http_auth_user']) && - $cfg['admin_http_auth_user'] == $_SERVER['PHP_AUTH_USER']) { + ((is_array($cfg['admin_http_auth_user']) && in_array($_SERVER['PHP_AUTH_USER'], $cfg['admin_http_auth_user'])) || + (($cfg['admin_http_auth_user'] == $_SERVER['PHP_AUTH_USER'])))) { jirafeau_admin_session_start(); } /* Test web password authentication. */ diff --git a/lib/config.original.php b/lib/config.original.php index 1543089..bfa76af 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -100,13 +100,15 @@ $cfg['upload_ip_nopassword'] = array(); */ $cfg['admin_password'] = ''; -/* If set, let the user be authenticated as administrator. - * The user provided here is the user authenticated by HTTP authentication. +/* If set, let the users be authenticated as administrator. + * The users provided here are authenticated by HTTP authentication. * Note that Jirafeau does not manage the HTTP login part, it just checks - * that the provided user is logged in. + * that one of the provided users is logged in. + * May be an array for multiple users or a string for a single user. + * The option to provide a string is for backward compatibility. * If »admin_password« parameter is set, then the »admin_password« is ignored. */ -$cfg['admin_http_auth_user'] = ''; +$cfg['admin_http_auth_user'] = array(); /* List of IP allowed to access the admin interface. * If the list is empty, then there is no admin interface restriction based on IP. -- 2.34.1