From 77fda87530f85a6fd83061808c4ef3c983750a51 Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Fri, 19 Jul 2013 17:50:13 +0200 Subject: [PATCH] =?utf8?q?=C3=9Cberpr=C3=BCfung=20vom=20API-Token=20gefixt?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- SL/Auth.pm | 10 ++++++++-- SL/Dispatcher/AuthHandler/Admin.pm | 2 +- SL/Dispatcher/AuthHandler/User.pm | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/SL/Auth.pm b/SL/Auth.pm index bbf4b32e5..74ccd4ee5 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -607,8 +607,8 @@ sub restore_session { # The session ID provided is valid in the following cases: # 1. session ID exists in the database # 2. hasn't expired yet - # 3. if form field '{AUTH}api_token' is given: form field must equal database column 'auth.session.api_token' for the session ID - # 4. if form field '{AUTH}api_token' is NOT given then: the requestee's IP address must match the stored IP address + # 3. if cookie for the API token is given: the cookie's value equal database column 'auth.session.api_token' for the session ID + # 4. if cookie for the API token is NOT given then: the requestee's IP address must match the stored IP address $self->{api_token} = $cookie->{api_token} if $cookie; my $api_token_cookie = $self->get_api_token_cookie; my $cookie_is_bad = !$cookie || $cookie->{is_expired}; @@ -992,6 +992,12 @@ sub get_api_token_cookie { $::request->{cgi}->cookie($self->get_session_cookie_name(type => 'api_token')); } +sub is_api_token_cookie_valid { + my ($self) = @_; + my $provided_api_token = $self->get_api_token_cookie; + return $self->{api_token} && $provided_api_token && ($self->{api_token} eq $provided_api_token); +} + sub session_tables_present { $main::lxdebug->enter_sub(); diff --git a/SL/Dispatcher/AuthHandler/Admin.pm b/SL/Dispatcher/AuthHandler/Admin.pm index ad7c1f413..ebb4a4d3f 100644 --- a/SL/Dispatcher/AuthHandler/Admin.pm +++ b/SL/Dispatcher/AuthHandler/Admin.pm @@ -10,7 +10,7 @@ sub handle { %::myconfig = (); - my $ok = $::auth->get_api_token_cookie ? 1 : 0; + my $ok = $::auth->is_api_token_cookie_valid; $ok ||= $::form->{'{AUTH}admin_password'} && ($::auth->authenticate_root($::form->{'{AUTH}admin_password'}) == $::auth->OK()); $ok ||= !$::form->{'{AUTH}admin_password'} && ($::auth->authenticate_root($::auth->get_session_value('admin_password')) == $::auth->OK()); $ok ||= $params{action} eq 'login'; diff --git a/SL/Dispatcher/AuthHandler/User.pm b/SL/Dispatcher/AuthHandler/User.pm index 5ee543beb..7b2a5eb66 100644 --- a/SL/Dispatcher/AuthHandler/User.pm +++ b/SL/Dispatcher/AuthHandler/User.pm @@ -21,7 +21,7 @@ sub handle { $::locale = Locale->new($::myconfig{countrycode}); $::request->{layout} = SL::Layout::Dispatcher->new(style => $::myconfig{menustyle}); - my $ok = $::auth->get_api_token_cookie ? 1 : 0; + my $ok = $::auth->is_api_token_cookie_valid; $ok ||= $::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, $::form->{'{AUTH}password'})); $ok ||= !$::form->{'{AUTH}login'} && (SL::Auth::OK() == $::auth->authenticate($::myconfig{login}, undef)); -- 2.20.1