Merge pull request #34 in ZP/z-push from...

Merge pull request #34 in ZP/z-push from bugfix/ZP-672-options-without-authentication-info to develop

* commit '0db8a314':
  ZP-672 Always require Authentication header. Released under the Affero GNU General Public License (AGPL) version 3.
  ZP-672 Options without authentication info. Released under the Affero GNU General Public License (AGPL) version 3.

src/index.php

@@ -8,7 +8,7 @@
 *
 * Created   :   01.10.2007
 *
-* Copyright 2007 - 2013 Zarafa Deutschland GmbH
+* Copyright 2007 - 2015 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
@@ -147,9 +147,14 @@ include_once('version.php');
                                     @constant('ZPUSH_VERSION'), Request::GetMethod(), Request::GetRemoteAddr(),
                                     Request::GetCommand(), Request::GetGETUser(), Request::GetDeviceID(), Request::GetDeviceType()));
 
-        // Stop here if this is an OPTIONS request
-        if (Request::IsMethodOPTIONS())
+        // always request the authorization header
+        if (! Request::AuthenticationInfo())
+            throw new AuthenticationRequiredException("Access denied. Please send authorization header.");
+
+        // Stop here if this is an OPTIONS request - Auth information is available but not verified
+        if (Request::IsMethodOPTIONS()) {
             throw new NoPostRequestException("Options request", NoPostRequestException::OPTIONS_REQUEST);
+        }
 
         ZPush::CheckAdvancedConfig();
 
@@ -157,16 +162,12 @@ include_once('version.php');
         Request::ProcessHeaders();
 
         // Check required GET parameters
-        if(Request::IsMethodPOST() && (Request::GetCommandCode() === false || !Request::GetDeviceID() || !Request::GetDeviceType()))
+        if(Request::IsMethodPOST() && (Request::GetCommandCode() === false || !Request::GetDeviceID() || !Request::GetDeviceType() || !Request::GetGETUser()))
             throw new FatalException("Requested the Z-Push URL without the required GET parameters");
 
         // Load the backend
         $backend = ZPush::GetBackend();
 
-        // always request the authorization header
-        if (! Request::AuthenticationInfo() || !Request::GetGETUser())
-            throw new AuthenticationRequiredException("Access denied. Please send authorisation information");
-
         // check the provisioning information
         if (PROVISIONING === true && Request::IsMethodPOST() && ZPush::CommandNeedsProvisioning(Request::GetCommandCode()) &&
             ((Request::WasPolicyKeySent() && Request::GetPolicyKey() == 0) || ZPush::GetDeviceManager()->ProvisioningRequired(Request::GetPolicyKey())) &&