From 00fc298163ec610c55177196ca9550ae38f4e2ea Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Tue, 30 Jun 2009 11:32:08 +0000
Subject: - Patch #497612 by Moshe Weitzman et al: harden user login by
 correctly using the form API.  Complete commit now.  Thank you, thank you.

---
 modules/openid/openid.module | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'modules/openid/openid.module')

diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 48bf7e33c..cac813442 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -409,7 +409,13 @@ function openid_authentication($response) {
   $account = user_external_load($identity);
   if (isset($account->uid)) {
     if (!variable_get('user_email_verification', TRUE) || $account->login) {
-      user_external_login($account, $_SESSION['openid']['user_login_values']);
+      // Check if user is blocked.
+      user_login_name_validate(array(), $state, (array)$account);
+      if (!form_get_errors()) {
+        // Load global $user and perform final login tasks.
+        $form_state['uid'] = $account->uid;
+        user_login_submit(array(), $form_state);
+      }
     }
     else {
       drupal_set_message(t('You must validate your email address for this account before logging in via OpenID'));
@@ -446,7 +452,9 @@ function openid_authentication($response) {
         drupal_goto();
       }
       user_set_authmaps($account, array("authname_openid" => $identity));
-      user_external_login($account);
+      // Load global $user and perform final login tasks.
+      $form_state['uid'] = $account->uid;
+      user_login_submit(array(), $form_state);
     }
     drupal_redirect_form($form, $form_state['redirect']);
   }
-- 
cgit v1.2.3