From 9129a163377126d30b78ff39c94385f4245df7ae Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 24 Oct 2015 09:30:27 -0400
Subject: Check for each request that reverse proxy user match user session

---
 app/Auth/ReverseProxy.php    | 11 +++++++++++
 app/Model/Authentication.php |  5 ++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/Auth/ReverseProxy.php b/app/Auth/ReverseProxy.php
index abcdd449..1910ad35 100644
--- a/app/Auth/ReverseProxy.php
+++ b/app/Auth/ReverseProxy.php
@@ -20,6 +20,17 @@ class ReverseProxy extends Base
      */
     const AUTH_NAME = 'ReverseProxy';
 
+    /**
+     * Get username from the reverse proxy
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return isset($_SERVER[REVERSE_PROXY_USER_HEADER]) ? $_SERVER[REVERSE_PROXY_USER_HEADER] : '';
+    }
+
     /**
      * Authenticate the user with the HTTP header
      *
diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php
index 116e0726..580c1e14 100644
--- a/app/Model/Authentication.php
+++ b/app/Model/Authentication.php
@@ -44,7 +44,10 @@ class Authentication extends Base
         if ($this->userSession->isLogged()) {
 
             // Check if the user session match an existing user
-            if (! $this->user->exists($this->userSession->getId())) {
+            $userNotFound = ! $this->user->exists($this->userSession->getId());
+            $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username'];
+
+            if ($userNotFound || $reverseProxyWrongUser) {
                 $this->backend('rememberMe')->destroy($this->userSession->getId());
                 $this->session->close();
                 return false;
-- 
cgit v1.2.3