diff --git a/.env b/.env
index 971e669..5dc578c 100644
--- a/.env
+++ b/.env
@@ -37,6 +37,9 @@ MAILER_DSN=smtp://localhost:465?encryption=ssl&auth_mode=login&username=&passwor
# The admin password for the backend
ADMIN_LOGIN=admin
ADMIN_PASSWORD=test
+# You can bypass auth entirely by setting this to "true" (case sensitive).
+# Useful if you use an external authorization provider such as Authelia
+ADMIN_AUTH_BYPASS=false
# Auth Realm for HTTP auth
AUTH_REALM=SabreDAV
diff --git a/README.md b/README.md
index f7c214d..c8772e8 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,10 @@ ADMIN_LOGIN=admin
ADMIN_PASSWORD=test
```
+> [!NOTE]
+>
+> You can bypass auth entirely if you use a third party authorization provider such as Authelia. In that case, set the `ADMIN_AUTH_BYPASS` env var to `true` (case-sensitive, this is actually the string `true`, not a boolean) to allow full access to the dashboard. This does not change the behaviour of the DAV server.
+
c. The auth Realm and method for HTTP auth
```
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 0dba3df..d26ee7a 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -20,7 +20,7 @@ security:
access_control:
- { path: ^/$, roles: PUBLIC_ACCESS }
- { path: ^/dav, roles: PUBLIC_ACCESS }
- - { path: ^/dashboard, roles: ROLE_ADMIN }
- - { path: ^/users, roles: ROLE_ADMIN }
- - { path: ^/calendars, roles: ROLE_ADMIN }
- - { path: ^/adressbooks, roles: ROLE_ADMIN }
+ - { path: ^/dashboard, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+ - { path: ^/users, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+ - { path: ^/calendars, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
+ - { path: ^/adressbooks, roles: ROLE_ADMIN, allow_if: "'%env(default:default_admin_auth_bypass:ADMIN_AUTH_BYPASS)%' === 'true'" }
diff --git a/config/services.yaml b/config/services.yaml
index fbe5695..5f0d79f 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -5,6 +5,7 @@
# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
parameters:
default_database_driver: "mysql"
+ default_admin_auth_bypass: "false"
timezone: '%env(APP_TIMEZONE)%'
services:
diff --git a/tests/Functional/DashboardTest.php b/tests/Functional/DashboardTest.php
index 39a2b87..dc467a9 100644
--- a/tests/Functional/DashboardTest.php
+++ b/tests/Functional/DashboardTest.php
@@ -51,7 +51,7 @@ public function testLoginIncorrectUsername(): void
$crawler = $client->followRedirect();
$this->assertResponseIsSuccessful();
- $this->assertSelectorTextContains('div.alert.alert-danger', 'Username could not be found.');
+ $this->assertSelectorTextContains('div.alert.alert-danger', 'Invalid credentials.');
}
public function testLoginIncorrectPassword(): void
diff --git a/translations/security.en.xlf b/translations/security.en.xlf
index 9e71298..239df03 100644
--- a/translations/security.en.xlf
+++ b/translations/security.en.xlf
@@ -47,7 +47,7 @@
Username could not be found.
- Username could not be found.
+ Invalid credentials.
Account has expired.