From 9129a163377126d30b78ff39c94385f4245df7ae Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 24 Oct 2015 09:30:27 -0400
Subject: Check for each request that reverse proxy user match user session

---
 app/Model/Authentication.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app/Model')

diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php
index 116e0726..580c1e14 100644
--- a/app/Model/Authentication.php
+++ b/app/Model/Authentication.php
@@ -44,7 +44,10 @@ class Authentication extends Base
         if ($this->userSession->isLogged()) {
 
             // Check if the user session match an existing user
-            if (! $this->user->exists($this->userSession->getId())) {
+            $userNotFound = ! $this->user->exists($this->userSession->getId());
+            $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username'];
+
+            if ($userNotFound || $reverseProxyWrongUser) {
                 $this->backend('rememberMe')->destroy($this->userSession->getId());
                 $this->session->close();
                 return false;
-- 
cgit v1.2.3