From 3ec0a1fd2c1d9ee1c0e3ebac93ac89a48f6d9d73 Mon Sep 17 00:00:00 2001 From: Carsten Schmitz Date: Thu, 15 Nov 2012 20:06:31 +0100 Subject: [PATCH] Fixed issue #6873: Administration login using one-time password not working --- .../controllers/admin/authentication.php | 11 ++++++----- application/core/UserIdentity.php | 17 ++++++++++++++--- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/application/controllers/admin/authentication.php b/application/controllers/admin/authentication.php index cf8b670d392..424e5435f07 100644 --- a/application/controllers/admin/authentication.php +++ b/application/controllers/admin/authentication.php @@ -37,9 +37,10 @@ public function index() if ($bCanLogin && !is_array($bCanLogin)) { - if (Yii::app()->request->getPost('action')) + if (Yii::app()->request->getPost('action') || !is_null(Yii::app()->request->getQuery('onepass'))) { - $aData = $this->_doLogin(Yii::app()->request->getPost('user'), Yii::app()->request->getPost('password')); + + $aData = $this->_doLogin(Yii::app()->request->getParam('user'), Yii::app()->request->getPost('password'),Yii::app()->request->getQuery('onepass','')); if (!isset($aData['errormsg'])) { @@ -247,11 +248,11 @@ private function _doRedirect() * @param string $sPassword The password to login with * @return Array of data containing errors for the view */ - private function _doLogin($sUsername, $sPassword) + private function _doLogin($sUsername, $sPassword, $sOneTimePassword) { $identity = new UserIdentity(sanitize_user($sUsername), $sPassword); - if (!$identity->authenticate()) + if (!$identity->authenticate($sOneTimePassword)) { return $this->_getAuthenticationFailedErrorMessage(); } @@ -324,7 +325,7 @@ private function _checkForUsageOfDefaultPassword() { $clang = $this->getController()->lang; Yii::app()->session['pw_notify'] = false; - if (strtolower($_POST['password']) === 'password') + if (strtolower(Yii::app()->request->getPost('password','') ) === 'password') { Yii::app()->session['pw_notify'] = true; Yii::app()->session['flashmessage'] = $clang->gT('Warning: You are still using the default password (\'password\'). Please change your password and re-login again.'); diff --git a/application/core/UserIdentity.php b/application/core/UserIdentity.php index e6bd2657fb9..4155650f1e9 100644 --- a/application/core/UserIdentity.php +++ b/application/core/UserIdentity.php @@ -17,6 +17,7 @@ class UserIdentity extends CUserIdentity { protected $id; protected $user; + protected $sOneTimePassword; /** * Checks whether this user has correctly entered password or not @@ -24,7 +25,7 @@ class UserIdentity extends CUserIdentity * @access public * @return bool */ - public function authenticate() + public function authenticate($sOneTimePassword='') { if (Yii::app()->getConfig("auth_webserver")==false) { @@ -41,11 +42,21 @@ public function authenticate() $sStoredPassword=$user->password; } } - if ($user === null) + else { $this->errorCode = self::ERROR_USERNAME_INVALID; + return !$this->errorCode; + } + + if ($sOneTimePassword!='' && Yii::app()->getConfig("use_one_time_passwords") && md5($sOneTimePassword)==$user->one_time_pw) + { + $user->one_time_pw=''; + $user->save(); + $this->id = $user->uid; + $this->user = $user; + $this->errorCode = self::ERROR_NONE; } - else if ($sStoredPassword !== hash('sha256', $this->password)) + elseif ($sStoredPassword !== hash('sha256', $this->password)) { $this->errorCode = self::ERROR_PASSWORD_INVALID; }