Check for each request that reverse proxy user match user session

author: Frederic Guillot <fred@kanboard.net> 2015-10-24 09:30:27 -0400
committer: Frederic Guillot <fred@kanboard.net> 2015-10-24 09:30:27 -0400
commit: 9129a163377126d30b78ff39c94385f4245df7ae (patch)
tree: dfd62157b7bb6d6c0d25a1d883bc834165d32c9f /app/Model
parent: 9aca556fc6db6c23c4c95a0e30425fe966003f0e (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php
index 116e0726..580c1e14 100644
--- a/app/Model/Authentication.php
+++ b/app/Model/Authentication.php
@@ -44,7 +44,10 @@ class Authentication extends Base
         if ($this->userSession->isLogged()) {
 
             // Check if the user session match an existing user
-            if (! $this->user->exists($this->userSession->getId())) {
+            $userNotFound = ! $this->user->exists($this->userSession->getId());
+            $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username'];
+
+            if ($userNotFound || $reverseProxyWrongUser) {
                 $this->backend('rememberMe')->destroy($this->userSession->getId());
                 $this->session->close();
                 return false;
author	Frederic Guillot <fred@kanboard.net>	2015-10-24 09:30:27 -0400
committer	Frederic Guillot <fred@kanboard.net>	2015-10-24 09:30:27 -0400
commit	9129a163377126d30b78ff39c94385f4245df7ae (patch)
tree	dfd62157b7bb6d6c0d25a1d883bc834165d32c9f /app/Model
parent	9aca556fc6db6c23c4c95a0e30425fe966003f0e (diff)