diff options
author | Frederic Guillot <fred@kanboard.net> | 2015-10-24 09:30:27 -0400 |
---|---|---|
committer | Frederic Guillot <fred@kanboard.net> | 2015-10-24 09:30:27 -0400 |
commit | 9129a163377126d30b78ff39c94385f4245df7ae (patch) | |
tree | dfd62157b7bb6d6c0d25a1d883bc834165d32c9f /app/Model | |
parent | 9aca556fc6db6c23c4c95a0e30425fe966003f0e (diff) |
Check for each request that reverse proxy user match user session
Diffstat (limited to 'app/Model')
-rw-r--r-- | app/Model/Authentication.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php index 116e0726..580c1e14 100644 --- a/app/Model/Authentication.php +++ b/app/Model/Authentication.php @@ -44,7 +44,10 @@ class Authentication extends Base if ($this->userSession->isLogged()) { // Check if the user session match an existing user - if (! $this->user->exists($this->userSession->getId())) { + $userNotFound = ! $this->user->exists($this->userSession->getId()); + $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username']; + + if ($userNotFound || $reverseProxyWrongUser) { $this->backend('rememberMe')->destroy($this->userSession->getId()); $this->session->close(); return false; |