updating auth component and test with additional checks for missing data

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@7979 3807eeeb-6ff5-0310-8944-8be069107fe0
cakephp · Jan 14, 2009 · e496fc9 · e496fc9
1 parent 4a636b9
commit e496fc9
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 15 deletions.
diff --git a/cake/libs/controller/components/auth.php b/cake/libs/controller/components/auth.php
@@ -297,23 +297,29 @@ function startup(&$controller) {
 				}
 				return false;
 			}
-			$username = $controller->data[$this->userModel][$this->fields['username']];
-			$password = $controller->data[$this->userModel][$this->fields['password']];
 
-			$data = array(
+			$isValid = !empty($controller->data[$this->userModel][$this->fields['username']]) &&
-				$this->userModel . '.' . $this->fields['username'] => $username,
+				!empty($controller->data[$this->userModel][$this->fields['password']]);
-				$this->userModel . '.' . $this->fields['password'] => $password
-			);
 
-			if ($this->login($data)) {
+			if ($isValid) {
-				if ($this->autoRedirect) {
+				$username = $controller->data[$this->userModel][$this->fields['username']];
-					$controller->redirect($this->redirect(), null, true);
+				$password = $controller->data[$this->userModel][$this->fields['password']];
+
+				$data = array(
+					$this->userModel . '.' . $this->fields['username'] => $username,
+					$this->userModel . '.' . $this->fields['password'] => $password
+				);
+
+				if ($this->login($data)) {
+					if ($this->autoRedirect) {
+						$controller->redirect($this->redirect(), null, true);
+					}
+					return true;
 				}
-				return true;
-			} else {
-				$this->Session->setFlash($this->loginError, 'default', array(), 'auth');
-				$controller->data[$this->userModel][$this->fields['password']] = null;
 			}
+
+			$this->Session->setFlash($this->loginError, 'default', array(), 'auth');
+			$controller->data[$this->userModel][$this->fields['password']] = null;
 			return false;
 		} else {
 			if (!$this->user()) {
@@ -794,7 +800,7 @@ function identify($user = null, $conditions = null) {
 			if (empty($data) || empty($data[$this->userModel])) {
 				return null;
 			}
-		} elseif (!empty($user)) {
+		} elseif (!empty($user) && is_string($user)) {
 			$model =& $this->getModel();
 			$data = $model->find(array_merge(array($model->escapeField() => $user), $conditions));
 

diff --git a/cake/tests/cases/libs/controller/components/auth.test.php b/cake/tests/cases/libs/controller/components/auth.test.php
@@ -822,7 +822,6 @@ function testEmptyUsernameOrPassword() {
  */
 	function testInjection() {
 		$this->AuthUser =& new AuthUser();
-		Configure::write('debug', 1);
 		$this->AuthUser->id = 2;
 		$this->AuthUser->saveField('password', Security::hash(Configure::read('Security.salt') . 'cake'));
 
@@ -856,6 +855,20 @@ function testInjection() {
 
 		$this->Controller->Auth->startup($this->Controller);
 		$this->assertTrue(is_null($this->Controller->Auth->user()));
+
+		unset($this->Controller->data['AuthUser']['password']);
+		$this->Controller->data['AuthUser']['username'] = "1'1";
+		$this->Controller->Auth->initialize($this->Controller);
+
+		$this->Controller->Auth->startup($this->Controller);
+		$this->assertTrue(is_null($this->Controller->Auth->user()));
+
+		unset($this->Controller->data['AuthUser']['username']);
+		$this->Controller->data['AuthUser']['password'] = "1'1";
+		$this->Controller->Auth->initialize($this->Controller);
+
+		$this->Controller->Auth->startup($this->Controller);
+		$this->assertTrue(is_null($this->Controller->Auth->user()));
 	}
 /**
  * test Hashing of passwords