Check code/securecode are set for login

Fixes #31. If securecode is NULL (e.g. bad external log-in code) then any user from the same IP can gain access if they don't have a securecode cookie set.
eprints · Feb 5, 2013 · a9c66337ec48994a8c481899f1d5a8039a98e8d0 · a9c6633
1 parent 3a6ef4b
commit a9c66337ec48994a8c481899f1d5a8039a98e8d0
Showing with 10 additions and 6 deletions.

+10 −6 perl_lib/EPrints/DataObj/LoginTicket.pm
diff --git a/perl_lib/EPrints/DataObj/LoginTicket.pm b/perl_lib/EPrints/DataObj/LoginTicket.pm
@@ -150,19 +150,23 @@ sub new_from_request
 			$r,
 			$SECURE_SESSION_KEY
 		);
-		$ticket = $dataset->search(filters => [
-			{ meta_fields => [qw( securecode )], value => $securecode },
-		])->item( 0 );
+		if (EPrints::Utils::is_set($securecode)) {
+			$ticket = $dataset->search(filters => [
+				{ meta_fields => [qw( securecode )], value => $securecode },
+			])->item( 0 );
+		}
 	}
 	else
 	{
 		my $code = EPrints::Apache::AnApache::cookie(
 			$r,
 			$SESSION_KEY
 		);
-		$ticket = $dataset->search(filters => [
-			{ meta_fields => [qw( code )], value => $code },
-		])->item( 0 );
+		if (EPrints::Utils::is_set($code)) {
+			$ticket = $dataset->search(filters => [
+				{ meta_fields => [qw( code )], value => $code },
+			])->item( 0 );
+		}
 	}
 
 	my $timeout = $repo->config( "user_session_timeout" );