From 2d925d13fae2ebe4bb95314389ccc5416e97c954 Mon Sep 17 00:00:00 2001 From: Andrew Embler Date: Fri, 18 May 2018 13:42:40 -0500 Subject: [PATCH] Starting on a fix for #6623 --- .../authentication/concrete/controller.php | 2 +- concrete/src/Http/DefaultDispatcher.php | 19 ++-- .../src/Page/Controller/PageController.php | 15 ++- concrete/src/Session/SessionValidator.php | 6 + concrete/src/User/User.php | 106 +++++++++--------- 5 files changed, 79 insertions(+), 69 deletions(-) diff --git a/concrete/authentication/concrete/controller.php b/concrete/authentication/concrete/controller.php index 5b14be9967f..55ed6f1006c 100644 --- a/concrete/authentication/concrete/controller.php +++ b/concrete/authentication/concrete/controller.php @@ -131,7 +131,7 @@ private function genString($a = 16) public function isAuthenticated(User $u) { - return $u->isLoggedIn(); + return $u->isRegistered(); } public function saveAuthenticationType($values) diff --git a/concrete/src/Http/DefaultDispatcher.php b/concrete/src/Http/DefaultDispatcher.php index 9f2a06e4c7b..70dbf8a8992 100644 --- a/concrete/src/Http/DefaultDispatcher.php +++ b/concrete/src/Http/DefaultDispatcher.php @@ -13,6 +13,7 @@ use Symfony\Component\Routing\Exception\ResourceNotFoundException; use Symfony\Component\Routing\Matcher\UrlMatcher; use Symfony\Component\Routing\RequestContext; +use Concrete\Core\Session\SessionValidator; class DefaultDispatcher implements DispatcherInterface { @@ -59,15 +60,17 @@ public function dispatch(SymfonyRequest $request) private function getEarlyDispatchResponse() { - $session = $this->app['session']; - - if (!$session->has('uID')) { - User::verifyAuthTypeCookie(); - } + $validator = $this->app->make(SessionValidator::class); + if ($validator->hasActiveSession()) { + $session = $this->app['session']; + if (!$session->has('uID')) { + User::verifyAuthTypeCookie(); + } - // User may have been logged in, so lets check status again. - if ($session->has('uID') && $session->get('uID') > 0 && $response = $this->validateUser()) { - return $response; + // User may have been logged in, so lets check status again. + if ($session->has('uID') && $session->get('uID') > 0 && $response = $this->validateUser()) { + return $response; + } } } diff --git a/concrete/src/Page/Controller/PageController.php b/concrete/src/Page/Controller/PageController.php index 7d17b436a18..19b70dc459b 100644 --- a/concrete/src/Page/Controller/PageController.php +++ b/concrete/src/Page/Controller/PageController.php @@ -12,6 +12,7 @@ use Concrete\Core\Support\Facade\Application; use Concrete\Core\Page\View\PageView; use Symfony\Component\HttpFoundation\Response; +use Concrete\Core\Session\SessionValidator; class PageController extends Controller { @@ -111,13 +112,17 @@ public function getReplacement() public function getSets() { + $app = $this->app; $sets = parent::getSets(); + $validator = $app->make(SessionValidator::class); $session = Application::getFacadeApplication()->make('session'); - if ($session->getFlashBag()->has('page_message')) { - $value = $session->getFlashBag()->get('page_message'); - foreach ($value as $message) { - $sets[$message[0]] = $message[1]; - $sets[$message[0].'IsHTML'] = isset($message[2]) && $message[2]; + if ($validator->hasActiveSession()) { + if ($session->getFlashBag()->has('page_message')) { + $value = $session->getFlashBag()->get('page_message'); + foreach ($value as $message) { + $sets[$message[0]] = $message[1]; + $sets[$message[0].'IsHTML'] = isset($message[2]) && $message[2]; + } } } diff --git a/concrete/src/Session/SessionValidator.php b/concrete/src/Session/SessionValidator.php index 9c980b92644..5a44d795c5c 100644 --- a/concrete/src/Session/SessionValidator.php +++ b/concrete/src/Session/SessionValidator.php @@ -95,6 +95,12 @@ public function handleSessionValidation(SymfonySession $session) return $invalidate; } + public function hasActiveSession() + { + $cookie = $this->app['cookie']; + return $cookie->has($this->config->get('concrete.session.name')); + } + /** * @return bool */ diff --git a/concrete/src/User/User.php b/concrete/src/User/User.php index 7451f283833..3b23f3f6012 100644 --- a/concrete/src/User/User.php +++ b/concrete/src/User/User.php @@ -4,6 +4,7 @@ use Concrete\Core\Foundation\ConcreteObject; use Concrete\Core\Http\Request; use Concrete\Core\Permission\Access\Entity\GroupEntity; +use Concrete\Core\Session\SessionValidator; use Concrete\Core\Support\Facade\Application; use Concrete\Core\User\Group\Group; use Concrete\Core\Authentication\AuthenticationType; @@ -68,16 +69,13 @@ public static function loginByUserID($uID) } /** - * Return true if user is logged in. - * - * @return bool + * @deprecated + * Use isRegistered() instead */ public static function isLoggedIn() { - $app = Application::getFacadeApplication(); - $session = $app['session']; - - return $session->has('uID') && $session->get('uID') > 0; + $u = new User(); + return $u->isRegistered(); } /** @@ -147,9 +145,10 @@ public function __construct() { $app = Application::getFacadeApplication(); $args = func_get_args(); - $session = $app['session']; $config = $app['config']; - + $session = $app['session']; + $validator = $app->make(SessionValidator::class); + // We need to check for the cookie so that we don't auto create a session when this runs super early. if (isset($args[1])) { // first, we check to see if the username and password match the admin username and password // $username = uName normally, but if not it's email address @@ -214,44 +213,38 @@ public function __construct() } } else { $req = Request::getInstance(); - if ($req->hasCustomRequestUser()) { - $this->uID = null; - $this->uName = null; - $this->superUser = false; - $this->uDefaultLanguage = null; - $this->uTimezone = null; - $ux = $req->getCustomRequestUser(); - if ($ux && is_object($ux)) { - $this->uID = $ux->getUserID(); - $this->uName = $ux->getUserName(); - $this->superUser = $ux->getUserID() == USER_SUPER_ID; - if ($ux->getUserDefaultLanguage()) { - $this->uDefaultLanguage = $ux->getUserDefaultLanguage(); + $this->uID = null; + $this->uName = null; + $this->superUser = false; + $this->uDefaultLanguage = null; + $this->uTimezone = null; + if ($validator->hasActiveSession() || $this->uID) { + if ($req->hasCustomRequestUser()) { + $ux = $req->getCustomRequestUser(); + if ($ux && is_object($ux)) { + $this->uID = $ux->getUserID(); + $this->uName = $ux->getUserName(); + $this->superUser = $ux->getUserID() == USER_SUPER_ID; + if ($ux->getUserDefaultLanguage()) { + $this->uDefaultLanguage = $ux->getUserDefaultLanguage(); + } + $this->uTimezone = $ux->getUserTimezone(); } - $this->uTimezone = $ux->getUserTimezone(); + } else if ($session->has('uID')) { + $this->uID = $session->get('uID'); + $this->uName = $session->get('uName'); + $this->uTimezone = $session->get('uTimezone'); + if ($session->has('uDefaultLanguage')) { + $this->uDefaultLanguage = $session->get('uDefaultLanguage'); + } + $this->superUser = ($session->get('uID') == USER_SUPER_ID) ? true : false; } - } elseif ($session->has('uID')) { - $this->uID = $session->get('uID'); - $this->uName = $session->get('uName'); - $this->uTimezone = $session->get('uTimezone'); - if ($session->has('uDefaultLanguage')) { - $this->uDefaultLanguage = $session->get('uDefaultLanguage'); + $this->uGroups = $this->_getUserGroups(); + if (!isset($args[2]) && !$req->hasCustomRequestUser()) { + $session->set('uGroups', $this->uGroups); } - $this->superUser = ($session->get('uID') == USER_SUPER_ID) ? true : false; - } else { - $this->uID = null; - $this->uName = null; - $this->superUser = false; - $this->uDefaultLanguage = null; - $this->uTimezone = null; - } - $this->uGroups = $this->_getUserGroups(); - if (!isset($args[2]) && !$req->hasCustomRequestUser()) { - $session->set('uGroups', $this->uGroups); } } - - return $this; } /** @@ -594,24 +587,27 @@ public function refreshUserGroups() */ public function getUserAccessEntityObjects() { + $entities = []; $app = Application::getFacadeApplication(); - $req = Request::getInstance(); $session = $app['session']; + $validator = $app->make(SessionValidator::class); + if ($validator->hasActiveSession()) { + $req = Request::getInstance(); - if ($req->hasCustomRequestUser()) { - // we bypass session-saving performance - // and we don't save them in session. - return PermissionAccessEntity::getForUser($this); - } + if ($req->hasCustomRequestUser()) { + // we bypass session-saving performance + // and we don't save them in session. + return PermissionAccessEntity::getForUser($this); + } - if ($session->has('accessEntities')) { - $entities = $session->get('accessEntities'); - } else { - $entities = PermissionAccessEntity::getForUser($this); - $session->set('accessEntities', $entities); - $session->set('accessEntitiesUpdated', time()); + if ($session->has('accessEntities')) { + $entities = $session->get('accessEntities'); + } else { + $entities = PermissionAccessEntity::getForUser($this); + $session->set('accessEntities', $entities); + $session->set('accessEntitiesUpdated', time()); + } } - return $entities; }