Allow re-authentication with OpenID

"Rememberme" logins aren't allowed to make changes to an account (since cookie-stealing is too easy). Users have to re-authenticate. Previously, it was impossible to do so without having a username and password; this change lets you do it with OpenID, too.
2009-02-05 11:46:17 -05:00 · 2009-02-05 11:46:17 -05:00 · 7ad3ff4a2c
commit 7ad3ff4a2c
parent a97f8f6a43
4 changed files with 29 additions and 4 deletions
--- a/actions/finishopenidlogin.php
+++ b/actions/finishopenidlogin.php
@ -30,7 +30,7 @@ class FinishopenidloginAction extends Action
    function handle($args)
    {
        parent::handle($args);
-        if (common_logged_in()) {
+        if (common_is_real_login()) {
            $this->clientError(_('Already logged in.'));
        } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
            $token = $this->trimmed('token');
--- a/actions/openidlogin.php
+++ b/actions/openidlogin.php
@ -26,7 +26,7 @@ class OpenidloginAction extends Action
    function handle($args)
    {
        parent::handle($args);
-        if (common_logged_in()) {
+        if (common_is_real_login()) {
            $this->clientError(_('Already logged in.'));
        } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
            $openid_url = $this->trimmed('openid_url');
@ -59,7 +59,16 @@ class OpenidloginAction extends Action

    function getInstructions()
    {
-        return _('Login with an [OpenID](%%doc.openid%%) account.');
+        if (common_logged_in() && !common_is_real_login() &&
+            common_get_returnto()) {
+            // rememberme logins have to reauthenticate before
+            // changing any profile settings (cookie-stealing protection)
+            return _('For security reasons, please re-login with your ' .
+                     '[OpenID](%%doc.openid%%) ' .
+                     'before changing your settings.');
+        } else {
+            return _('Login with an [OpenID](%%doc.openid%%) account.');
+        }
    }

    function showPageNotice()
--- a/classes/User.php
+++ b/classes/User.php
@ -630,4 +630,15 @@ class User extends Memcached_DataObject

        return $profile;
    }
+
+    function hasOpenID()
+    {
+        $oid = new User_openid();
+
+        $oid->user_id = $this->id;
+
+        $cnt = $oid->find();
+
+        return ($cnt > 0);
+    }
 }
--- a/lib/settingsaction.php
+++ b/lib/settingsaction.php
@ -76,7 +76,12 @@ class SettingsAction extends Action
            // change important settings or see private info, and
            // _all_ our settings are important
            common_set_returnto($this->selfUrl());
-            common_redirect(common_local_url('login'));
+            $user = common_current_user();
+            if ($user->hasOpenID()) {
+                common_redirect(common_local_url('openidlogin'));
+            } else {
+                common_redirect(common_local_url('login'));
+            }
        } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
            $this->handlePost();
        } else {