Allow re-authentication with OpenID

"Rememberme" logins aren't allowed to make changes to an account
(since cookie-stealing is too easy). Users have to re-authenticate.
Previously, it was impossible to do so without having a username and
password; this change lets you do it with OpenID, too.
This commit is contained in:
Evan Prodromou 2009-02-05 11:46:17 -05:00
parent a97f8f6a43
commit 7ad3ff4a2c
4 changed files with 29 additions and 4 deletions

View File

@ -30,7 +30,7 @@ class FinishopenidloginAction extends Action
function handle($args)
{
parent::handle($args);
if (common_logged_in()) {
if (common_is_real_login()) {
$this->clientError(_('Already logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$token = $this->trimmed('token');

View File

@ -26,7 +26,7 @@ class OpenidloginAction extends Action
function handle($args)
{
parent::handle($args);
if (common_logged_in()) {
if (common_is_real_login()) {
$this->clientError(_('Already logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$openid_url = $this->trimmed('openid_url');
@ -59,7 +59,16 @@ class OpenidloginAction extends Action
function getInstructions()
{
return _('Login with an [OpenID](%%doc.openid%%) account.');
if (common_logged_in() && !common_is_real_login() &&
common_get_returnto()) {
// rememberme logins have to reauthenticate before
// changing any profile settings (cookie-stealing protection)
return _('For security reasons, please re-login with your ' .
'[OpenID](%%doc.openid%%) ' .
'before changing your settings.');
} else {
return _('Login with an [OpenID](%%doc.openid%%) account.');
}
}
function showPageNotice()

View File

@ -630,4 +630,15 @@ class User extends Memcached_DataObject
return $profile;
}
function hasOpenID()
{
$oid = new User_openid();
$oid->user_id = $this->id;
$cnt = $oid->find();
return ($cnt > 0);
}
}

View File

@ -76,7 +76,12 @@ class SettingsAction extends Action
// change important settings or see private info, and
// _all_ our settings are important
common_set_returnto($this->selfUrl());
common_redirect(common_local_url('login'));
$user = common_current_user();
if ($user->hasOpenID()) {
common_redirect(common_local_url('openidlogin'));
} else {
common_redirect(common_local_url('login'));
}
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$this->handlePost();
} else {