fix(BasicAuth): Fix bug where you could bypass BasicAuth if a page wa…

…s cached.
tractorcow · Dec 8, 2016 · 5d47e41 · 5d47e41
1 parent 21a9656
commit 5d47e41
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/code/DynamicCache.php b/code/DynamicCache.php
@@ -88,6 +88,23 @@ protected function enabled($url)
             return false;
         }
 
+        // If user failed BasicAuth, disable cache and fallback to PHP code
+        $basicAuthConfig = Config::inst()->forClass('BasicAuth');
+        if($basicAuthConfig->entire_site_protected) {
+            $member = null;
+            try {
+                $member = BasicAuth::requireLogin($basicAuthConfig->entire_site_protected_message, $basicAuthConfig->entire_site_protected_code, false);
+            } catch (SS_HTTPResponse_Exception $e) {
+                // This codepath means Member auth failed
+            } catch (Exception $e) {
+                // This means an issue occurred elsewhere
+                throw $e;
+            }
+            if (!$member instanceof Member) {
+                return false;
+            }
+        }
+
         // If displaying form errors then don't display cached result
         foreach (Session::get_all() as $field => $data) {
             // Check for session details in the form FormInfo.{$FormName}.errors/FormInfo.{$FormName}.formError