Merge pull request #3040 from nickvergessen/ticket/13138-asc

[3.1] Ticket/13138 Only use cookie data when we do not force a user_id

Conflicts:
	phpBB/phpbb/session.php

phpBB/phpbb/session.php

@@ -593,15 +593,15 @@ class session
 		}
 		else if (!$bot)
 		{
-            $provider_collection = $phpbb_container->get('auth.provider_collection');
-            $provider = $provider_collection->get_provider();
-            $this->data = $provider->autologin();
+			$provider_collection = $phpbb_container->get('auth.provider_collection');
+			$provider = $provider_collection->get_provider();
+			$this->data = $provider->autologin();
 
-            if (sizeof($this->data))
-            {
-                $this->cookie_data['k'] = '';
-                $this->cookie_data['u'] = $this->data['user_id'];
-            }
+			if (sizeof($this->data))
+			{
+				$this->cookie_data['k'] = '';
+				$this->cookie_data['u'] = $this->data['user_id'];
+			}
 
 			// If we're presented with an autologin key we'll join against it.
 			// Else if we've been passed a user_id we'll grab data based on that

tests/session/session_key_test.php

@@ -11,6 +11,7 @@
 *
 */
 
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
 require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php';
 
 class phpbb_session_login_keys_test extends phpbb_session_test_case
@@ -28,13 +29,14 @@ class phpbb_session_login_keys_test extends phpbb_session_test_case
 		// With AutoLogin setup
 		$this->session_factory->merge_config_data(array('allow_autologin' => true));
 		$session = $this->session_factory->get_session($this->db);
+
 		// Using a user_id and key that is already in the database
 		$session->cookie_data['u'] = $this->user_id;
 		$session->cookie_data['k'] = $this->key_id;
-		// Try to access session
-		$session->session_create($this->user_id, false, $this->user_id);
 
-		$this->assertEquals($this->user_id, $session->data['user_id'], "session should automatically login");
+		// Try to access session with the session key
+		$session->session_create(false, false, false);
+		$this->assertEquals($this->user_id, $session->data['user_id'], 'User should be logged in by the session key');
 	}
 
 	public function test_reset_keys()
@@ -42,14 +44,19 @@ class phpbb_session_login_keys_test extends phpbb_session_test_case
 		// With AutoLogin setup
 		$this->session_factory->merge_config_data(array('allow_autologin' => true));
 		$session = $this->session_factory->get_session($this->db);
+
 		// Reset of the keys for this user
 		$session->reset_login_keys($this->user_id);
+
 		// Using a user_id and key that was in the database (before reset)
 		$session->cookie_data['u'] = $this->user_id;
 		$session->cookie_data['k'] = $this->key_id;
-		// Try to access session
-		$session->session_create($this->user_id, false, $this->user_id);
 
-		$this->assertNotEquals($this->user_id, $session->data['user_id'], "session should be cleared");
+		// Try to access session with the session key
+		$session->session_create(false, false, $this->user_id);
+		$this->assertNotEquals($this->user_id, $session->data['user_id'], 'User is not logged in because the session key is invalid');
+
+		$session->session_create($this->user_id, false, false);
+		$this->assertEquals($this->user_id, $session->data['user_id'], 'User should be logged in because we create a new session');
 	}
 }

tests/test_framework/phpbb_session_test_case.php

@@ -16,8 +16,13 @@ require_once dirname(__FILE__) . '/../session/testable_facade.php';
 
 abstract class phpbb_session_test_case extends phpbb_database_test_case
 {
+	/** @var phpbb_session_testable_factory */
 	protected $session_factory;
+
+	/** @var phpbb_session_testable_facade */
 	protected $session_facade;
+
+	/** @var \phpbb\db\driver\driver_interface */
 	protected $db;
 
 	function setUp()