diff options
| -rw-r--r-- | config.php-dist | 11 | ||||
| -rw-r--r-- | functions.php | 24 | ||||
| -rw-r--r-- | login_form.php | 4 |
3 files changed, 29 insertions, 10 deletions
diff --git a/config.php-dist b/config.php-dist index 7de32d512..c12e3ebee 100644 --- a/config.php-dist +++ b/config.php-dist @@ -128,10 +128,13 @@ // Limits the amount of feeds daemon (or a cronjob) updates on one run define('ALLOW_REMOTE_USER_AUTH', false); - // Set to 'true' if you trust your web server's REMOTE_USER - // environment variable to validate that the user is logged in. This - // option can be used to integrate tt-rss with Apache's external - // authentication modules. + // Set to 'true' if you trust your web server's REMOTE_USER or + // REDIRECT_SSL_CLIENT_S_DN_CN environment variables to validate + // that the user is logged in. This option can be used to integrate + // tt-rss with Apache's external authentication modules or SSL + // client certificate authentication. + // Please note that REMOTE_USER takes precedence over SSL certificate + // information. define('AUTO_LOGIN', false); // Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want diff --git a/functions.php b/functions.php index 0dd7ca47b..ed4438367 100644 --- a/functions.php +++ b/functions.php @@ -1757,6 +1757,22 @@ return true; } + function get_remote_user() { + $remote_user = $_SERVER["REMOTE_USER"]; + + if (!$remote_user) + $remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"]; + + return db_escape_string($remote_user); + } + + function get_remote_fakepass() { + if (get_remote_user()) + return "******"; + else + return ""; + } + function authenticate_user($link, $login, $password, $force_auth = false) { if (!SINGLE_USER_MODE) { @@ -1766,9 +1782,9 @@ $login = db_escape_string($login); if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && $_SERVER["REMOTE_USER"] && $login != "admin") { + && get_remote_user() && $login != "admin") { - $login = db_escape_string($_SERVER["REMOTE_USER"]); + $login = db_escape_string(get_remote_user()); $query = "SELECT id,login,access_level,pwd_hash FROM ttrss_users WHERE @@ -1959,8 +1975,8 @@ if (!$_SESSION["uid"] || !validate_session($link)) { if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && $_SERVER["REMOTE_USER"] && defined('AUTO_LOGIN') && AUTO_LOGIN) { - authenticate_user($link,$_SERVER['REMOTE_USER'],null); + && get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) { + authenticate_user($link, get_remote_user(), null); $_SESSION["ref_schema_version"] = get_schema_version($link, true); } else { render_login_form($link, $mobile); diff --git a/login_form.php b/login_form.php index e7ec0a68b..1dbc00549 100644 --- a/login_form.php +++ b/login_form.php @@ -131,11 +131,11 @@ function validateLoginForm(f) { <tr><td align="right"><?php echo __("Login:") ?></td> <td align="right"><input name="login" onchange="fetchProfiles()" onfocus="fetchProfiles()" - value="<?php echo $_SERVER["REMOTE_USER"] ?>"></td></tr> + value="<?php echo get_remote_user() ?>"></td></tr> <tr><td align="right"><?php echo __("Password:") ?></td> <td align="right"><input type="password" name="password" onchange="fetchProfiles()" onfocus="fetchProfiles()" - value="<?php echo $_SERVER["REMOTE_USER"] ?>"></td></tr> + value="<?php echo get_remote_fakepass() ?>"></td></tr> <tr><td align="right"><?php echo __("Language:") ?></td> <td align="right"> <?php |