From 7ad3ff4a2cd494ef8c1cc293e15c0a70b8786fee Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Thu, 5 Feb 2009 11:46:17 -0500 Subject: [PATCH] Allow re-authentication with OpenID "Rememberme" logins aren't allowed to make changes to an account (since cookie-stealing is too easy). Users have to re-authenticate. Previously, it was impossible to do so without having a username and password; this change lets you do it with OpenID, too. --- actions/finishopenidlogin.php | 2 +- actions/openidlogin.php | 13 +++++++++++-- classes/User.php | 11 +++++++++++ lib/settingsaction.php | 7 ++++++- 4 files changed, 29 insertions(+), 4 deletions(-) diff --git a/actions/finishopenidlogin.php b/actions/finishopenidlogin.php index 880a9505b4..bc91511207 100644 --- a/actions/finishopenidlogin.php +++ b/actions/finishopenidlogin.php @@ -30,7 +30,7 @@ class FinishopenidloginAction extends Action function handle($args) { parent::handle($args); - if (common_logged_in()) { + if (common_is_real_login()) { $this->clientError(_('Already logged in.')); } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $token = $this->trimmed('token'); diff --git a/actions/openidlogin.php b/actions/openidlogin.php index 7a267a2bdc..1a4372d73e 100644 --- a/actions/openidlogin.php +++ b/actions/openidlogin.php @@ -26,7 +26,7 @@ class OpenidloginAction extends Action function handle($args) { parent::handle($args); - if (common_logged_in()) { + if (common_is_real_login()) { $this->clientError(_('Already logged in.')); } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $openid_url = $this->trimmed('openid_url'); @@ -59,7 +59,16 @@ class OpenidloginAction extends Action function getInstructions() { - return _('Login with an [OpenID](%%doc.openid%%) account.'); + if (common_logged_in() && !common_is_real_login() && + common_get_returnto()) { + // rememberme logins have to reauthenticate before + // changing any profile settings (cookie-stealing protection) + return _('For security reasons, please re-login with your ' . + '[OpenID](%%doc.openid%%) ' . + 'before changing your settings.'); + } else { + return _('Login with an [OpenID](%%doc.openid%%) account.'); + } } function showPageNotice() diff --git a/classes/User.php b/classes/User.php index b1c061c18f..a6a1b11b9f 100644 --- a/classes/User.php +++ b/classes/User.php @@ -630,4 +630,15 @@ class User extends Memcached_DataObject return $profile; } + + function hasOpenID() + { + $oid = new User_openid(); + + $oid->user_id = $this->id; + + $cnt = $oid->find(); + + return ($cnt > 0); + } } diff --git a/lib/settingsaction.php b/lib/settingsaction.php index dfe1f114b2..53c807c6f9 100644 --- a/lib/settingsaction.php +++ b/lib/settingsaction.php @@ -76,7 +76,12 @@ class SettingsAction extends Action // change important settings or see private info, and // _all_ our settings are important common_set_returnto($this->selfUrl()); - common_redirect(common_local_url('login')); + $user = common_current_user(); + if ($user->hasOpenID()) { + common_redirect(common_local_url('openidlogin')); + } else { + common_redirect(common_local_url('login')); + } } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $this->handlePost(); } else {