FIX check current user permissions before basic auth silverstripe#116

signify-nz · Jan 14, 2025 · b6788a4 · b6788a4
1 parent 092d296
commit b6788a4
Showing 1 changed file with 22 additions and 20 deletions.
diff --git a/src/EnvironmentChecker.php b/src/EnvironmentChecker.php
@@ -104,28 +104,30 @@ public function __construct($checkSuiteName, $title)
      */
     public function init($permission = 'ADMIN')
     {
-        // if the environment supports it, provide a basic auth challenge and see if it matches configured credentials
-        if (Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME')
-            && Environment::getEnv('ENVCHECK_BASICAUTH_PASSWORD')
-        ) {
-            // Check that details are both provided, and match
-            $request = Controller::curr()->request;
-            if (empty($request->getHeader('PHP_AUTH_USER')) || empty($request->getHeader('PHP_AUTH_PW'))
-                || $request->getHeader('PHP_AUTH_USER') != Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME')
-                || $request->getHeader('PHP_AUTH_PW') != Environment::getEnv('ENVCHECK_BASICAUTH_PASSWORD')
+        if (!$this->canAccess(null, $permission)) {
+            // if the environment supports it, provide a basic auth challenge and see if it matches configured credentials
+            if (Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME')
+                && Environment::getEnv('ENVCHECK_BASICAUTH_PASSWORD')
             ) {
-                // Fail check with basic auth challenge
-                $response = new HTTPResponse(null, 401);
-                $response->addHeader('WWW-Authenticate', "Basic realm=\"Environment check\"");
-                throw new HTTPResponse_Exception($response);
+                // Check that details are both provided, and match
+                $request = Controller::curr()->request;
+                if (empty($request->getHeader('PHP_AUTH_USER')) || empty($request->getHeader('PHP_AUTH_PW'))
+                    || $request->getHeader('PHP_AUTH_USER') != Environment::getEnv('ENVCHECK_BASICAUTH_USERNAME')
+                    || $request->getHeader('PHP_AUTH_PW') != Environment::getEnv('ENVCHECK_BASICAUTH_PASSWORD')
+                ) {
+                    // Fail check with basic auth challenge
+                    $response = new HTTPResponse(null, 401);
+                    $response->addHeader('WWW-Authenticate', "Basic realm=\"Environment check\"");
+                    throw new HTTPResponse_Exception($response);
+                }
+            } else {
+                // Fail check with silverstripe login challenge
+                $result = Security::permissionFailure(
+                    $this,
+                    "You must have the {$permission} permission to access this check"
+                );
+                throw new HTTPResponse_Exception($result);
             }
-        } elseif (!$this->canAccess(null, $permission)) {
-            // Fail check with silverstripe login challenge
-            $result = Security::permissionFailure(
-                $this,
-                "You must have the {$permission} permission to access this check"
-            );
-            throw new HTTPResponse_Exception($result);
         }
     }