Permalink
Browse files

added output to determine if username or password was incorrect durin…

…g login attempt
  • Loading branch information...
1 parent 665b488 commit e7acc6171d32d611fd4bf0e8ffae1e52a1ea8466 Henry Singeton committed Jul 27, 2009
Showing with 19 additions and 0 deletions.
  1. +19 −0 extension.driver.php
View
19 extension.driver.php
@@ -495,6 +495,7 @@ public function actionLogin($parent, $values) {
$fields = array();
$section = $this->section;
$where = $joins = $group = null;
+ $name_where = $name_joins = $name_group = null;
$result = new XMLElement('section');
$result->setAttribute('handle', $this->handle);
@@ -516,6 +517,12 @@ public function actionLogin($parent, $values) {
$field->buildDSRetrivalSQL($value, $joins, $where);
if (!$group) $group = $field->requiresSQLGrouping();
+
+ //Build SQL for determining of the username or the password was incorrrect. Only executed if login fails
+ if ($field instanceof FieldMemberName) {
+ $field->buildDSRetrivalSQL($value, $name_joins, $name_where);
+ if (!$name_group) $name_group = $field->requiresSQLGrouping();
+ }
}
}
}
@@ -530,6 +537,18 @@ public function actionLogin($parent, $values) {
if (!$entry = @current($entries)) {
$result->setAttribute('status', 'failed');
+ //determine reason for login failure. This should not normally be shown to the user as it can lead to account cracking attempts.
+ $name_entries = $em->fetch(
+ null, $this->section->get('id'), 1, null,
+ $name_where, $name_joins, $name_group, true
+ );
+
+ if ($name_entry = @current($name_entries)) {
+ $result->setAttribute('reason', 'incorrect-password');
+ } else {
+ $result->setAttribute('reason', 'incorrect-username');
+ }
+
return false;
}

0 comments on commit e7acc61

Please sign in to comment.