diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-12-13 12:53:47 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-12-13 12:53:47 +0000 |
| commit | ce3542d8ab0b9baad24f72dd39da0a62ab713b8b (patch) | |
| tree | 80570f61aad066de13bacaec06bef09384e78e32 | |
| parent | 050008410d34a78d93cac155476d359669a3cad7 (diff) | |
| download | brdo-ce3542d8ab0b9baad24f72dd39da0a62ab713b8b.tar.gz brdo-ce3542d8ab0b9baad24f72dd39da0a62ab713b8b.tar.bz2 | |
#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user login tasks, such as session id regeneration were not performed in all cases, so centralize this
| -rw-r--r-- | install.php | 2 | ||||
| -rw-r--r-- | modules/blogapi/blogapi.module | 2 | ||||
| -rw-r--r-- | modules/user/user.module | 47 | ||||
| -rw-r--r-- | modules/user/user.pages.inc | 11 |
4 files changed, 38 insertions, 24 deletions
diff --git a/install.php b/install.php index b81f18c64..fc9e061c3 100644 --- a/install.php +++ b/install.php @@ -1114,7 +1114,7 @@ function install_configure_form_submit($form, &$form_state) { $merge_data = array('init' => $form_state['values']['mail'], 'roles' => array(), 'status' => 1); user_save($account, array_merge($form_state['values'], $merge_data)); // Log in the first user. - user_authenticate($form_state['values']['name'], trim($form_state['values']['pass'])); + user_authenticate($form_state['values']); $form_state['values'] = $form_state['old_values']; unset($form_state['old_values']); variable_set('user_email_verification', TRUE); diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module index 22e15dda4..9e0e0a0cd 100644 --- a/modules/blogapi/blogapi.module +++ b/modules/blogapi/blogapi.module @@ -507,7 +507,7 @@ function blogapi_error($message) { function blogapi_validate_user($username, $password) { global $user; - $user = user_authenticate($username, $password); + $user = user_authenticate(array('name' => $username, 'pass' => $password)); if ($user->uid) { if (user_access('edit own blog', $user)) { diff --git a/modules/user/user.module b/modules/user/user.module index dd5ec47ad..eb3862b15 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -1238,8 +1238,6 @@ function user_login_default_validators() { /** * A FAPI validate handler. Sets an error is supplied username has been blocked or denied access. - * - * @return void */ function user_login_name_validate($form, &$form_state) { if (isset($form_state['values']['name'])) { @@ -1259,7 +1257,7 @@ function user_login_name_validate($form, &$form_state) { * against local users table. If successful, sets the global $user object. */ function user_login_authenticate_validate($form, &$form_state) { - user_authenticate($form_state['values']['name'], trim($form_state['values']['pass'])); + user_authenticate($form_state['values']); } /** @@ -1277,33 +1275,52 @@ function user_login_final_validate($form, &$form_state) { /** * Try to log in the user locally. * + * @param $form_values + * Form values with at least 'name' and 'pass' keys, as well as anything else + * which should be passed along to hook_user op 'login'. + * * @return * A $user object, if successful. */ -function user_authenticate($name, $pass) { +function user_authenticate($form_values = array()) { global $user; - if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) { + // Name and pass keys are required. + if (!empty($form_values['name']) && !empty($form_values['pass']) && + $account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1))) { $user = $account; + user_authenticate_finalize($form_values); return $user; } } /** + * Finalize the login process. Must be called when logging in a user. + * + * The function records a watchdog message about the new session, saves the + * login timestamp, calls hook_user op 'login' and generates a new session. + * + * $param $edit + * This array is passed to hook_user op login. + */ +function user_authenticate_finalize(&$edit) { + global $user; + watchdog('user', 'Session opened for %name.', array('%name' => $user->name)); + // Update the user table timestamp noting user has logged in. + // This is also used to invalidate one-time login links. + $user->login = time(); + db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid); + user_module_invoke('login', $edit, $user); + sess_regenerate(); +} + +/** * A validate handler on the login form. Update user's login timestamp, fire * hook_user('login), and generate new session ID. */ function user_login_submit($form, &$form_state) { global $user; if ($user->uid) { - watchdog('user', 'Session opened for %name.', array('%name' => $user->name)); - - // Update the user table timestamp noting user has logged in. - db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid); - - user_module_invoke('login', $form_state['values'], $user); - - sess_regenerate(); $form_state['redirect'] = 'user/'. $user->uid; return; } @@ -2178,7 +2195,7 @@ function user_register_submit($form, &$form_state) { drupal_set_message(t('</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass))); } - user_authenticate($account->name, trim($pass)); + user_authenticate(array_merge($form_state['values'], $merge_data)); $form_state['redirect'] = 'user/1/edit'; return; @@ -2192,7 +2209,7 @@ function user_register_submit($form, &$form_state) { else if (!variable_get('user_email_verification', TRUE) && $account->status && !$admin) { // No e-mail verification is required, create new user account, and login user immediately. _user_mail_notify('register_no_approval_required', $account); - if (user_authenticate($account->name, trim($pass))) { + if (user_authenticate(array_merge($form_state['values'], $merge_data))) { drupal_set_message(t('Registration successful. You are now logged in.')); } $form_state['redirect'] = ''; diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc index 88ce583ac..eb3e7db87 100644 --- a/modules/user/user.pages.inc +++ b/modules/user/user.pages.inc @@ -96,14 +96,11 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = // First stage is a confirmation form, then login if ($action == 'login') { watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); - // Update the user table noting user has logged in. - // And this also makes this hashed password a one-time-only login. - db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid); - // Now we can set the new user. + // Set the new user. $user = $account; - // And proceed with normal login, going to user page. - $edit = array(); - user_module_invoke('login', $edit, $user); + // user_authenticate_finalize() also updates the login timestamp of the + // user, which invalidates further use of the one-time login link. + user_authenticate_finalize($form_state['values']); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); drupal_goto('user/'. $user->uid .'/edit'); } |