Turning on Basic Auth credentials prevents authorised users from accessing /dev/check

[sig-peggy]

Module version(s) affected

3.0.2

Description

The order of logic used in EnvironmentChecker::init() means that if the BasicAuth environment variables are set then that is the only authentication that is checked when accessing /dev/check and therefore admin users who should have access to the page can't view it unless they also know the Basic Auth username/password.

Expected behaviour: Logged in users with sufficient permissions should be able to see the /dev/check page without triggering Basic Auth regardless whether the Basic Auth option is turned on or not.

How to reproduce

1. install the module
2. Add the 'ENVCHECK_BASICAUTH_USERNAME' and 'ENVCHECK_BASICAUTH_PASSWORD' environment variables as per documentation
3. (At this point in time) Add work arounds for other open issues with Basic Auth - Issues when using HTTP BASIC Auth on EnvironmentChecker.php #73 and Using basic auth credentials to access /dev/check still triggers the site login #92
4. Log in as an admin user via the normal /Security/login system
5. Go to /dev/check - this will trigger the Basic Auth authentication which only works with the environment variable username/password and not with actual user information.

Possible Solution

Change the order in which the permission checks are happening. Instead of current order

if (EnvironmentVariables) {
    check BasicAuth 
} elseif (!canAccess) {
    throw error
}

check first that the current user does not have access to the page with e.g.

if (!canAccess) {
    if (EnvironmentVariables) {
        check BasicAuth 
   } else { 
        throw Error 
    }
}

Additional Context

No response

Validations

• Check that there isn't already an issue that reports the same bug
• Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

PRs

• FIX Allow logged in user with permissions to bypass basic auth #119