Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ajax login will fail for banned users on non-english #6587

Closed
jdarwood007 opened this issue Mar 18, 2021 · 2 comments · Fixed by #6589
Closed

Ajax login will fail for banned users on non-english #6587

jdarwood007 opened this issue Mar 18, 2021 · 2 comments · Fixed by #6589
Labels
JavaScript Login/Sessions
Milestone
RC4

Comments

@jdarwood007
Copy link
Member

Description

In index.template.php we have this:

				<li>', sprintf($txt[$context['can_register'] ? 'welcome_guest_register' : 'welcome_guest'], $context['forum_name_html_safe'], $scripturl . '?action=login', 'return reqOverlayDiv(this.href, ' . JavaScriptEscape($txt['login']) . ');', $scripturl . '?action=signup'), '</li>

The second parameter of reqOverlayDiv is $txt['login']
This is set in the index.language.php

$txt['login'] = 'Login';

In script.js we define the parameters:

// Open a overlay div
function reqOverlayDiv(desktopURL, sHeader, sIcon)

And finally when we receive an error 500, we throw an error that they are banned if it's from the login page.

		statusCode: {
			500: function() {
				if (sHeader == 'Login')
					oPopup_body.html(banned_text);
				else
					oPopup_body.html('500 Internal Server Error');
			}
		}

But we are depending on sHeader which is a text string. So in non english forums, this will never trigger the banned message, but only the internal error message.

Steps to reproduce

  1. Change $txt['login'] to anything else.
  2. Ban the member
  3. Try to login

Environment (complete as necessary)

  • Version/Git revision: latest at time of report
  • Database Type: n/a
  • Database Version: n/a
  • PHP Version: n/a

Additional information/references

Tagging this for final, it doesn't need to resolve for RC4 but could.
@jdarwood007 jdarwood007 added this to the Final milestone Mar 18, 2021
@live627
Copy link
Contributor

live627 commented Mar 18, 2021

imo this should be handled by the server and should throw a 403, not a 500.

@jdarwood007
Copy link
Member Author

Agreed on that as well.

BrickOzp pushed a commit to BrickOzp/SMF2.1 that referenced this issue Mar 19, 2021
@SGA-oscar-rydhe
Send 403 for banned login attempt
e4d49c4 
Use HTTP error code 403 (Forbidden) instead of 500
when a banned user tries to login.
This will also avoid using a language string to
differ between banned users and other errors.

Fixes SimpleMachines#6587

Signed-off-by: Oscar Rydhé oscar.rydhe@gmail.com
@BrickOzp BrickOzp mentioned this issue Mar 19, 2021
Merged
@live627 live627 modified the milestones: Final, RC4 Mar 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
JavaScript Login/Sessions
Projects
None yet
Milestone
RC4
Development

Successfully merging a pull request may close this issue.

Send 403 for banned login attempt BrickOzp/SMF2.1
2 participants
@live627 @jdarwood007