From 47c936e02634a90e7fe5c2c65a330d6acc170a5a Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Sat, 3 Jul 2021 19:40:42 +0200
Subject: [PATCH] Reworked authentication related menu item handling (fixes
 #1462)

---
 app.php                                   |  3 ---
 changelog/62_UNRELEASED_xxxx-xx-xx.md     |  1 +
 middleware/ApiKeyAuthMiddleware.php       |  5 -----
 middleware/LdapAuthMiddleware.php         |  2 ++
 middleware/ReverseProxyAuthMiddleware.php |  7 ++-----
 middleware/SessionAuthMiddleware.php      |  5 -----
 views/layout/default.blade.php            | 11 +++++++++--
 views/userform.blade.php                  | 11 +++++++++++
 8 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/app.php b/app.php
index 5265112f..b6d36a2b 100644
--- a/app.php
+++ b/app.php
@@ -18,7 +18,6 @@ require_once __DIR__ . '/helpers/ConfigurationValidator.php';
 if ((GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease') && !defined('GROCY_USER_ID'))
 {
 	define('GROCY_USER_ID', 1);
-	define('GROCY_SHOW_AUTH_VIEWS', true);
 }
 
 // Definitions for disabled authentication mode
@@ -28,8 +27,6 @@ if (GROCY_DISABLE_AUTH === true)
 	{
 		define('GROCY_USER_ID', 1);
 	}
-
-	define('GROCY_SHOW_AUTH_VIEWS', false);
 }
 
 // Check if any invalid entries in config.php have been made
diff --git a/changelog/62_UNRELEASED_xxxx-xx-xx.md b/changelog/62_UNRELEASED_xxxx-xx-xx.md
index 323c0688..082ac1d1 100644
--- a/changelog/62_UNRELEASED_xxxx-xx-xx.md
+++ b/changelog/62_UNRELEASED_xxxx-xx-xx.md
@@ -68,6 +68,7 @@
 - The camera barcode scanner now also supports Code 39 barcodes (used for example in Germany on pharma products (PZN)) (thanks @andreheuer)
 - Fixed that the number picker up/down buttons did not work when the input field was empty or contained an invalid number
 - Fixed that links and embeds (e.g. YouTube videos) did not work in the text editor
+- Fixed that the "Manage users" and "Manage API keys" menu was not shown when using reverse proxy authentication
 
 ### API improvements/fixes
 - Added a new API endpoint `/system/localization-strings` to get the localization strings (gettext JSON representation; in the by the user desired language)
diff --git a/middleware/ApiKeyAuthMiddleware.php b/middleware/ApiKeyAuthMiddleware.php
index d61044ad..ea65025d 100644
--- a/middleware/ApiKeyAuthMiddleware.php
+++ b/middleware/ApiKeyAuthMiddleware.php
@@ -19,11 +19,6 @@ class ApiKeyAuthMiddleware extends AuthMiddleware
 
 	public function authenticate(Request $request)
 	{
-		if (!defined('GROCY_SHOW_AUTH_VIEWS'))
-		{
-			define('GROCY_SHOW_AUTH_VIEWS', true);
-		}
-
 		$routeContext = RouteContext::fromRequest($request);
 		$route = $routeContext->getRoute();
 		$routeName = $route->getName();
diff --git a/middleware/LdapAuthMiddleware.php b/middleware/LdapAuthMiddleware.php
index 0e401d54..43a8bfe6 100644
--- a/middleware/LdapAuthMiddleware.php
+++ b/middleware/LdapAuthMiddleware.php
@@ -11,6 +11,8 @@ class LdapAuthMiddleware extends AuthMiddleware
 {
 	public function authenticate(Request $request)
 	{
+		define('GROCY_EXTERNALLY_MANAGED_AUTHENTICATION', true);
+
 		// TODO: Reuse DefaultAuthMiddleware->authenticate somehow
 
 		// First try to authenticate by API key
diff --git a/middleware/ReverseProxyAuthMiddleware.php b/middleware/ReverseProxyAuthMiddleware.php
index 2135fe4e..907c0ba5 100644
--- a/middleware/ReverseProxyAuthMiddleware.php
+++ b/middleware/ReverseProxyAuthMiddleware.php
@@ -10,12 +10,9 @@ class ReverseProxyAuthMiddleware extends AuthMiddleware
 {
 	public function authenticate(Request $request)
 	{
-		$db = DatabaseService::getInstance()->GetDbConnection();
+		define('GROCY_EXTERNALLY_MANAGED_AUTHENTICATION', true);
 
-		if (!defined('GROCY_SHOW_AUTH_VIEWS'))
-		{
-			define('GROCY_SHOW_AUTH_VIEWS', false);
-		}
+		$db = DatabaseService::getInstance()->GetDbConnection();
 
 		// API key authentication is also ok
 		$auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
diff --git a/middleware/SessionAuthMiddleware.php b/middleware/SessionAuthMiddleware.php
index 1b4eca5c..0b32bc54 100644
--- a/middleware/SessionAuthMiddleware.php
+++ b/middleware/SessionAuthMiddleware.php
@@ -15,11 +15,6 @@ class SessionAuthMiddleware extends AuthMiddleware
 
 	public function authenticate(Request $request)
 	{
-		if (!defined('GROCY_SHOW_AUTH_VIEWS'))
-		{
-			define('GROCY_SHOW_AUTH_VIEWS', true);
-		}
-
 		$sessionService = SessionService::getInstance();
 
 		if (!isset($_COOKIE[SessionService::SESSION_COOKIE_NAME]) || !$sessionService->IsValidSession($_COOKIE[SessionService::SESSION_COOKIE_NAME]))
diff --git a/views/layout/default.blade.php b/views/layout/default.blade.php
index a7be1059..0ee3a4c5 100644
--- a/views/layout/default.blade.php
+++ b/views/layout/default.blade.php
@@ -466,7 +466,7 @@
 			</ul>
 
 			<ul class="navbar-nav ml-auto">
-				@if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL && GROCY_SHOW_AUTH_VIEWS)
+				@if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL && !GROCY_DISABLE_AUTH)
 				<li class="nav-item dropdown">
 					<a class="nav-link dropdown-toggle discrete-link @if(!empty(GROCY_USER_PICTURE_FILE_NAME)) py-0 @endif"
 						href="#"
@@ -481,11 +481,16 @@
 					</a>
 
 					<div class="dropdown-menu dropdown-menu-right">
+						@if(!defined('GROCY_EXTERNALLY_MANAGED_AUTHENTICATION'))
 						<a class="dropdown-item logout-button discrete-link"
 							href="{{ $U('/logout') }}"><i class="fas fa-sign-out-alt"></i>&nbsp;{{ $__t('Logout') }}</a>
 						<div class="dropdown-divider"></div>
 						<a class="dropdown-item logout-button discrete-link"
 							href="{{ $U('/user/' . GROCY_USER_ID . '?changepw=true') }}"><i class="fas fa-key"></i>&nbsp;{{ $__t('Change password') }}</a>
+						@else
+						<a class="dropdown-item logout-button discrete-link"
+							href="{{ $U('/user/' . GROCY_USER_ID) }}"><i class="fas fa-key"></i>&nbsp;{{ $__t('Edit user') }}</a>
+						@endif
 					</div>
 				</li>
 				@endif
@@ -635,11 +640,13 @@
 							class="dropdown-item discrete-link link-return">
 							<i class="fas fa-user-cog"></i> {{ $__t('User settings') }}
 						</a>
+						@if(!GROCY_IS_EMBEDDED_INSTALL && !GROCY_DISABLE_AUTH)
 						<div class="dropdown-divider"></div>
-						@if(GROCY_SHOW_AUTH_VIEWS)
 						<a class="dropdown-item discrete-link permission-USERS_READ"
 							href="{{ $U('/users') }}"><i class="fas fa-users"></i>&nbsp;{{ $__t('Manage users') }}</a>
+						@endif
 						<div class="dropdown-divider"></div>
+						@if(!GROCY_DISABLE_AUTH)
 						<a class="dropdown-item discrete-link"
 							href="{{ $U('/manageapikeys') }}"><i class="fas fa-handshake"></i>&nbsp;{{ $__t('Manage API keys') }}</a>
 						@endif
diff --git a/views/userform.blade.php b/views/userform.blade.php
index b3be676d..4b6f4102 100644
--- a/views/userform.blade.php
+++ b/views/userform.blade.php
@@ -65,6 +65,7 @@
 					value="@if($mode == 'edit'){{ $user->last_name }}@endif">
 			</div>
 
+			@if(!defined('GROCY_EXTERNALLY_MANAGED_AUTHENTICATION'))
 			<div class="form-group">
 				<label for="password">{{ $__t('Password') }}</label>
 				<input type="password"
@@ -83,6 +84,16 @@
 					name="password_confirm">
 				<div class="invalid-feedback">{{ $__t('Passwords do not match') }}</div>
 			</div>
+			@else
+			<input type="hidden"
+				name="password"
+				id="password"
+				value="x">
+			<input type="hidden"
+				name="password_confirm"
+				id="password_confirm"
+				value="x">
+			@endif
 
 			@include('components.userfieldsform', array(
 			'userfields' => $userfields,