diff options
| author | Dries Buytaert <dries@buytaert.net> | 2009-06-30 11:32:08 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2009-06-30 11:32:08 +0000 |
| commit | 00fc298163ec610c55177196ca9550ae38f4e2ea (patch) | |
| tree | 159dec1d0a2728bcb405c75cbc60aa5df4706271 /modules/blogapi/blogapi.module | |
| parent | e4857747ca016f14afd2cc002339bbad5149efb7 (diff) | |
| download | brdo-00fc298163ec610c55177196ca9550ae38f4e2ea.tar.gz brdo-00fc298163ec610c55177196ca9550ae38f4e2ea.tar.bz2 | |
- Patch #497612 by Moshe Weitzman et al: harden user login by correctly using the form API. Complete commit now. Thank you, thank you.
Diffstat (limited to 'modules/blogapi/blogapi.module')
| -rw-r--r-- | modules/blogapi/blogapi.module | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module index ef8e22693..9f9549bb3 100644 --- a/modules/blogapi/blogapi.module +++ b/modules/blogapi/blogapi.module @@ -683,13 +683,14 @@ function blogapi_error($message) { * Ensure that the given user has permission to edit a blog. */ function blogapi_validate_user($username, $password) { - global $user; + $form_state['values']['name'] = $username; + $form_state['values']['pass'] = $password; + $form_state['values']['op'] = t('Login'); + drupal_form_submit('user_login', $form_state); - $user = user_authenticate(array('name' => $username, 'pass' => $password)); - - if ($user->uid) { + if (!form_get_error()) { if (user_access('administer content with blog api', $user)) { - return $user; + return $GLOBALS['user']; } else { return t('You do not have permission to edit this blog.'); |