mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-10 05:18:52 +00:00
changed the way re-authentication is handled, basically hardening the process.
- also forbid re-authenticating as another user. needs further testing. git-svn-id: file:///svn/phpbb/trunk@5724 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
parent
1096b13c7e
commit
64fbadf3d6
3 changed files with 74 additions and 49 deletions
|
|
@ -1368,6 +1368,14 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
|||
$user->setup();
|
||||
}
|
||||
|
||||
// Print out error if user tries to authenticate as an administrator without having the privileges...
|
||||
if ($admin && !$auth->acl_get('a_'))
|
||||
{
|
||||
// Not authd
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
|
||||
trigger_error('NO_AUTH_ADMIN');
|
||||
}
|
||||
|
||||
if (isset($_POST['login']))
|
||||
{
|
||||
$username = request_var('username', '');
|
||||
|
|
@ -1376,27 +1384,35 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
|||
$viewonline = (!empty($_POST['viewonline'])) ? 0 : 1;
|
||||
$admin = ($admin) ? 1 : 0;
|
||||
|
||||
// Check if the supplied username is equal to the one stored within the database if re-authenticating
|
||||
if ($admin && strtolower($username) != strtolower($user->data['username']))
|
||||
{
|
||||
// We log the attempt to use a different username...
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
|
||||
trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
|
||||
}
|
||||
|
||||
// If authentication is successful we redirect user to previous page
|
||||
$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
|
||||
|
||||
// If admin authentication and login, we will log if it was a success or not...
|
||||
// We also break the operation on the first non-success login - it could be argued that the user already
|
||||
// knows
|
||||
if ($admin)
|
||||
{
|
||||
if ($result['status'] == LOGIN_SUCCESS)
|
||||
{
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS');
|
||||
}
|
||||
else
|
||||
{
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
|
||||
}
|
||||
}
|
||||
|
||||
// The result parameter is always an array, holding the relevant informations...
|
||||
if ($result['status'] == LOGIN_SUCCESS)
|
||||
{
|
||||
// If admin authentication
|
||||
if ($admin)
|
||||
{
|
||||
if ($auth->acl_get('a_'))
|
||||
{
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_SUCCESS');
|
||||
}
|
||||
else
|
||||
{
|
||||
// Authenticated, but not having admin permissions
|
||||
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
|
||||
trigger_error('NO_AUTH_ADMIN');
|
||||
}
|
||||
}
|
||||
|
||||
$redirect = request_var('redirect', "index.$phpEx$SID");
|
||||
meta_refresh(3, $redirect);
|
||||
|
||||
|
|
@ -1485,7 +1501,10 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
|||
|
||||
'S_DISPLAY_FULL_LOGIN' => ($s_display) ? true : false,
|
||||
'S_LOGIN_ACTION' => (!$admin) ? "{$phpbb_root_path}ucp.$phpEx$SID&mode=login" : "index.$phpEx$SID",
|
||||
'S_HIDDEN_FIELDS' => $s_hidden_fields)
|
||||
'S_HIDDEN_FIELDS' => $s_hidden_fields,
|
||||
|
||||
'S_ADMIN_AUTH' => $admin,
|
||||
'USERNAME' => ($admin) ? $user->data['username'] : '')
|
||||
);
|
||||
|
||||
page_header($user->lang['LOGIN']);
|
||||
|
|
|
|||
|
|
@ -268,36 +268,38 @@ $lang = array_merge($lang, array(
|
|||
'MONTH' => 'Month',
|
||||
'MOVE' => 'Move',
|
||||
|
||||
'NA' => 'N/A',
|
||||
'NEWEST_USER' => 'Our newest member <b>%s%s%s</b>',
|
||||
'NEW_MESSAGE' => 'New Message',
|
||||
'NEW_MESSAGES' => 'New Messages',
|
||||
'NEW_PM' => '<b>%d</b> new message',
|
||||
'NEW_PMS' => '<b>%d</b> new messages',
|
||||
'NEW_POST' => 'New post',
|
||||
'NEW_POSTS' => 'New posts',
|
||||
'NEXT' => 'Next',
|
||||
'NO' => 'No',
|
||||
'NONE' => 'None',
|
||||
'NOT_WATCHING_FORUM'=> 'You no subscribe to updates on this forum',
|
||||
'NOT_WATCHING_TOPIC'=> 'You are no longer subscribed to this topic.',
|
||||
'NO_AUTH_OPERATION' => 'You do not have the neccessary permissions to complete this operation.',
|
||||
'NO_BIRTHDAYS' => 'No birthdays today',
|
||||
'NO_FORUM' => 'The forum you selected does not exist',
|
||||
'NO_FORUMS' => 'This board has no forums',
|
||||
'NO_GROUP' => 'The requested usergroup does not exist.',
|
||||
'NO_MEMBERS' => 'No members found for this search criteria',
|
||||
'NO_MESSAGES' => 'No Messages',
|
||||
'NO_NEW_MESSAGES' => 'No new messages',
|
||||
'NO_NEW_PM' => '<b>0</b> new messages',
|
||||
'NO_NEW_POSTS' => 'No new posts',
|
||||
'NO_POSTS' => 'No Posts',
|
||||
'NO_SUCH_SEARCH_MODULE' => 'The specified search backend doesn\'t exist',
|
||||
'NO_TOPIC' => 'The requested topic does not exist.',
|
||||
'NO_TOPICS' => 'There are no topics or posts in this forum.',
|
||||
'NO_UNREAD_PM' => '<b>0</b> unread messages',
|
||||
'NO_USER' => 'The requested user does not exist.',
|
||||
'NO_USERS' => 'The requested users do not exist',
|
||||
'NA' => 'N/A',
|
||||
'NEWEST_USER' => 'Our newest member <b>%s%s%s</b>',
|
||||
'NEW_MESSAGE' => 'New Message',
|
||||
'NEW_MESSAGES' => 'New Messages',
|
||||
'NEW_PM' => '<b>%d</b> new message',
|
||||
'NEW_PMS' => '<b>%d</b> new messages',
|
||||
'NEW_POST' => 'New post',
|
||||
'NEW_POSTS' => 'New posts',
|
||||
'NEXT' => 'Next',
|
||||
'NO' => 'No',
|
||||
'NONE' => 'None',
|
||||
'NOT_WATCHING_FORUM' => 'You no subscribe to updates on this forum',
|
||||
'NOT_WATCHING_TOPIC' => 'You are no longer subscribed to this topic.',
|
||||
'NO_AUTH_ADMIN' => 'You do not have admin permissions and therefore not allowed to access the administration control panel.',
|
||||
'NO_AUTH_ADMIN_USER_DIFFER' => 'You are not able to re-authenticate as a different user.',
|
||||
'NO_AUTH_OPERATION' => 'You do not have the neccessary permissions to complete this operation.',
|
||||
'NO_BIRTHDAYS' => 'No birthdays today',
|
||||
'NO_FORUM' => 'The forum you selected does not exist',
|
||||
'NO_FORUMS' => 'This board has no forums',
|
||||
'NO_GROUP' => 'The requested usergroup does not exist.',
|
||||
'NO_MEMBERS' => 'No members found for this search criteria',
|
||||
'NO_MESSAGES' => 'No Messages',
|
||||
'NO_NEW_MESSAGES' => 'No new messages',
|
||||
'NO_NEW_PM' => '<b>0</b> new messages',
|
||||
'NO_NEW_POSTS' => 'No new posts',
|
||||
'NO_POSTS' => 'No Posts',
|
||||
'NO_SUCH_SEARCH_MODULE' => 'The specified search backend doesn\'t exist',
|
||||
'NO_TOPIC' => 'The requested topic does not exist.',
|
||||
'NO_TOPICS' => 'There are no topics or posts in this forum.',
|
||||
'NO_UNREAD_PM' => '<b>0</b> unread messages',
|
||||
'NO_USER' => 'The requested user does not exist.',
|
||||
'NO_USERS' => 'The requested users do not exist',
|
||||
|
||||
'OCCUPATION' => 'Occupation',
|
||||
'OFFLINE' => 'Offline',
|
||||
|
|
|
|||
|
|
@ -29,11 +29,15 @@
|
|||
<!-- ENDIF -->
|
||||
|
||||
<tr>
|
||||
<td><b class="gensmall">{L_USERNAME}:</b></td>
|
||||
<td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" /><br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a></td>
|
||||
<td valign="top"><b class="gensmall">{L_USERNAME}:</b></td>
|
||||
<td><input class="post" type="text" name="username" size="25" maxlength="40" value="{USERNAME}" tabindex="1" />
|
||||
<!-- IF not S_ADMIN_AUTH -->
|
||||
<br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a>
|
||||
<!-- ENDIF -->
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b class="gensmall">{L_PASSWORD}:</b></td>
|
||||
<td valign="top"><b class="gensmall">{L_PASSWORD}:</b></td>
|
||||
<td>
|
||||
<input class="post" type="password" name="password" size="25" maxlength="100" tabindex="2" />
|
||||
<!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF -->
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue