Fixed issue #6873: Administration login using one-time password not w…

…orking
LimeSurvey · Nov 15, 2012 · 3ec0a1f · 3ec0a1f
1 parent 67da66a
commit 3ec0a1f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/application/controllers/admin/authentication.php b/application/controllers/admin/authentication.php
@@ -37,9 +37,10 @@ public function index()
 
         if ($bCanLogin && !is_array($bCanLogin))
         {
-            if (Yii::app()->request->getPost('action'))
+            if (Yii::app()->request->getPost('action') ||  !is_null(Yii::app()->request->getQuery('onepass')))
             {
-                $aData = $this->_doLogin(Yii::app()->request->getPost('user'), Yii::app()->request->getPost('password'));
+
+                $aData = $this->_doLogin(Yii::app()->request->getParam('user'), Yii::app()->request->getPost('password'),Yii::app()->request->getQuery('onepass',''));
 
                 if (!isset($aData['errormsg']))
                 {
@@ -247,11 +248,11 @@ private function _doRedirect()
     * @param string $sPassword The password to login with
     * @return Array of data containing errors for the view
     */
-    private function _doLogin($sUsername, $sPassword)
+    private function _doLogin($sUsername, $sPassword, $sOneTimePassword)
     {
         $identity = new UserIdentity(sanitize_user($sUsername), $sPassword);
 
-        if (!$identity->authenticate())
+        if (!$identity->authenticate($sOneTimePassword))
         {
             return $this->_getAuthenticationFailedErrorMessage();
         }
@@ -324,7 +325,7 @@ private function _checkForUsageOfDefaultPassword()
     {
         $clang = $this->getController()->lang;
         Yii::app()->session['pw_notify'] = false;
-        if (strtolower($_POST['password']) === 'password')
+        if (strtolower(Yii::app()->request->getPost('password','') ) === 'password')
         {
             Yii::app()->session['pw_notify'] = true;
             Yii::app()->session['flashmessage'] = $clang->gT('Warning: You are still using the default password (\'password\'). Please change your password and re-login again.');

diff --git a/application/core/UserIdentity.php b/application/core/UserIdentity.php
@@ -17,14 +17,15 @@ class UserIdentity extends CUserIdentity
 {
     protected $id;
     protected $user;
+    protected $sOneTimePassword;
 
     /**
     * Checks whether this user has correctly entered password or not
     *
     * @access public
     * @return bool
     */
-    public function authenticate()
+    public function authenticate($sOneTimePassword='')
     {    
         if (Yii::app()->getConfig("auth_webserver")==false)
         {
@@ -41,11 +42,21 @@ public function authenticate()
                     $sStoredPassword=$user->password;
                 }
             }
-            if ($user === null)
+            else
             {
                 $this->errorCode = self::ERROR_USERNAME_INVALID;
+                return !$this->errorCode;
+            }
+
+            if ($sOneTimePassword!='' && Yii::app()->getConfig("use_one_time_passwords") && md5($sOneTimePassword)==$user->one_time_pw)
+            {
+                $user->one_time_pw='';
+                $user->save();
+                $this->id = $user->uid;
+                $this->user = $user;
+                $this->errorCode = self::ERROR_NONE;
             }
-            else if ($sStoredPassword !== hash('sha256', $this->password))
+            elseif ($sStoredPassword !== hash('sha256', $this->password))
             {
                 $this->errorCode = self::ERROR_PASSWORD_INVALID;
             }