We're using a slightly modified version 1.3.12 in which lib/WikiUser.php has been changed so that BOGO_LOGIN requires a group password. I noticed that there's also a lib/WikiUserNew.php and a lib/WikiUser/BogoLogin.php, but we haven't made any changes to these.
We're using the the following settings in config/config.ini:
This all works as expected except for one big problem, putting in a WikiWord in the UserId field (a valid BOGO_LOGIN) and then pressing the "Cancel" button instead of the "Sign In" allows a user without the group password to edit the page.
I took a look at the html source and here's the form generated for the Sign In page.
Apologies for my mistake, it's not lib/WikiUser.php that was modified, but lib/WikiUser/BogoLogin.php, specifically the function checkPass($submitted_password).
This works if the user provides a WikiWord for the UserId and the group password defined by BOGO_PASSWORD and presses the "Sign In" button, but can still be circumvented by pressing the "Cancel" button. Note that ENABLE_USER_NEW = true in config.ini. Do you have any suggestions for any thing else I could try? Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We're using a slightly modified version 1.3.12 in which lib/WikiUser.php has been changed so that BOGO_LOGIN requires a group password. I noticed that there's also a lib/WikiUserNew.php and a lib/WikiUser/BogoLogin.php, but we haven't made any changes to these.
We're using the the following settings in config/config.ini:
ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = true
ALLOW_USER_PASSWORDS = true
This all works as expected except for one big problem, putting in a WikiWord in the UserId field (a valid BOGO_LOGIN) and then pressing the "Cancel" button instead of the "Sign In" allows a user without the group password to edit the page.
I took a look at the html source and here's the form generated for the Sign In page.
<form method="post" action="CrinumHybrids?action=edit" accept-charset="iso-8859-1" name="login">
<table cellspacing="4">
<tr>
<td align="right">UserId:</td>
<td><input type="text" name="auth[userid]" size="12" maxlength="256" value="" /></td>
</tr>
<tr>
<td align="right">Password:</td>
<td><input type="password" name="auth[passwd]" size="12" maxlength="256" /></td>
</tr>
<tr><td align="center" colspan="2">
<input type="submit" value="Sign In" class="wikiaction" /> <input type="submit" value="Cancel" name="auth[cancel]" class="button" /> </td></tr>
</table>
<input type="hidden" name="auth[require_level]" value="0" />
<input type="hidden" name="auth[login]" value="1" />
<input type="hidden" name="action" value="edit" /><input type="hidden" name="pagename" value="CrinumHybrids" /></form>
Is there something I can change so that pressing the "Cancel" button doesn't circumvent the password requirement? Thanks in advance.
Apologies for my mistake, it's not lib/WikiUser.php that was modified, but lib/WikiUser/BogoLogin.php, specifically the function checkPass($submitted_password).
What used to be:
if (isWikiWord($this->_userid) { $this->_level = WIKIAUTH_BOGO; } else { $this->_level = WIKIAUTH_ANON; }is now:
if (isWikiWord($this->_userid) && !empty($submitted_password) && $submitted_password == BOGO_PASSWORD) { $this->_level = WIKIAUTH_BOGO; } else { $this->_level = WIKIAUTH_ANON; }This works if the user provides a WikiWord for the UserId and the group password defined by BOGO_PASSWORD and presses the "Sign In" button, but can still be circumvented by pressing the "Cancel" button. Note that ENABLE_USER_NEW = true in config.ini. Do you have any suggestions for any thing else I could try? Thanks!
auth[cancel] triggers a logic in main.php to clear all the auth tokens.
If you use WikiUserNew.php and fixed WikiUser.php, be sure to set
ENABLE_USER_NEW = false in your config.ini.