From b91a435ed4c2fc42d42d28e4cfc1c638c5500867 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Wed, 17 Dec 2014 20:12:14 +0100
Subject: [PATCH 1/3] Move basic auth login out of `isLoggedIn`

Potentially fixes https://github.com/owncloud/core/issues/12915 and opens the door for potential other bugs...

Please test very carefully, this includes:

- Testing from OCS via cURL (as in #12915)
- Testing from OCS via browser (Open the "Von Dir geteilt" shares overview)
- WebDAV
- CalDAV
- CardDAV
---
 lib/base.php         |  1 +
 lib/private/user.php | 14 +++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 1dd259b091..50b64c25cc 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -760,6 +760,7 @@ class OC {
 		// Load minimum set of apps
 		if (!self::checkUpgrade(false)) {
 			// For logged-in users: Load everything
+			\OC_User::tryBasicAuthLogin();
 			if(OC_User::isLoggedIn()) {
 				OC_App::loadApps();
 			} else {
diff --git a/lib/private/user.php b/lib/private/user.php
index ff45e9e26a..9a2ea3ef74 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -319,6 +319,15 @@ class OC_User {
 		self::getUserSession()->logout();
 	}
 
+	/**
+	 * Tries to login the user with HTTP Basic Authentication
+	 */
+	public static function tryBasicAuthLogin() {
+		if(!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
+			\OC_User::login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+		}
+	}
+
 	/**
 	 * Check if the user is logged in, considers also the HTTP basic credentials
 	 * @return bool
@@ -328,11 +337,6 @@ class OC_User {
 			return self::userExists(\OC::$server->getSession()->get('user_id'));
 		}
 
-		// Check whether the user has authenticated using Basic Authentication
-		if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
-			return \OC_User::login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
-		}
-
 		return false;
 	}
 

From a02b00445ef4dfd279ee760fdcb175de1bb48024 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Wed, 17 Dec 2014 20:22:51 +0100
Subject: [PATCH 2/3] Store result of authentication

---
 lib/private/api.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/private/api.php b/lib/private/api.php
index 66b763fdc3..35a09c5cd1 100644
--- a/lib/private/api.php
+++ b/lib/private/api.php
@@ -47,6 +47,7 @@ class OC_API {
 	 */
 	protected static $actions = array();
 	private static $logoutRequired = false;
+	private static $isLoggedIn = false;
 
 	/**
 	 * registers an api call
@@ -269,7 +270,10 @@ class OC_API {
 	 * http basic auth
 	 * @return string|false (username, or false on failure)
 	 */
-	private static function loginUser(){
+	private static function loginUser() {
+		if(self::$isLoggedIn === true) {
+			return \OC_User::getUser();
+		}
 
 		// reuse existing login
 		$loggedIn = OC_User::isLoggedIn();
@@ -279,6 +283,7 @@ class OC_API {
 
 				// initialize the user's filesystem
 				\OC_Util::setUpFS(\OC_User::getUser());
+				self::$isLoggedIn = true;
 
 				return OC_User::getUser();
 			}
@@ -296,6 +301,7 @@ class OC_API {
 
 				// initialize the user's filesystem
 				\OC_Util::setUpFS(\OC_User::getUser());
+				self::$isLoggedIn = true;
 
 				return $authUser;
 			}

From 058324b80e18474e0b3bd55ce9be8410209da1d2 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Wed, 17 Dec 2014 21:42:07 +0100
Subject: [PATCH 3/3] Check basic auth header only for not-logged-in users

---
 lib/base.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/base.php b/lib/base.php
index 50b64c25cc..ae87ecff39 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -760,13 +760,13 @@ class OC {
 		// Load minimum set of apps
 		if (!self::checkUpgrade(false)) {
 			// For logged-in users: Load everything
-			\OC_User::tryBasicAuthLogin();
 			if(OC_User::isLoggedIn()) {
 				OC_App::loadApps();
 			} else {
 				// For guests: Load only authentication, filesystem and logging
 				OC_App::loadApps(array('authentication'));
 				OC_App::loadApps(array('filesystem', 'logging'));
+				\OC_User::tryBasicAuthLogin();
 			}
 		}