Cancel button on Sign In

Help
Crinumaniac
2007-04-12
2012-10-11

  • Crinumaniac

    Crinumaniac - 2007-04-12

    We're using a slightly modified version 1.3.12 in which lib/WikiUser.php has been changed so that BOGO_LOGIN requires a group password. I noticed that there's also a lib/WikiUserNew.php and a lib/WikiUser/BogoLogin.php, but we haven't made any changes to these.

    We're using the the following settings in config/config.ini:

    ALLOW_ANON_USER = true
    ALLOW_ANON_EDIT = false
    ALLOW_BOGO_LOGIN = true
    ALLOW_USER_PASSWORDS = true

    This all works as expected except for one big problem, putting in a WikiWord in the UserId field (a valid BOGO_LOGIN) and then pressing the "Cancel" button instead of the "Sign In" allows a user without the group password to edit the page.

    I took a look at the html source and here's the form generated for the Sign In page.

    <form method="post" action="CrinumHybrids?action=edit" accept-charset="iso-8859-1" name="login">
    <table cellspacing="4">
    <tr>
    <td align="right">UserId:</td>
    <td><input type="text" name="auth[userid]" size="12" maxlength="256" value="" /></td>
    </tr>
    <tr>
    <td align="right">Password:</td>
    <td><input type="password" name="auth[passwd]" size="12" maxlength="256" /></td>
    </tr>
    <tr><td align="center" colspan="2">
    <input type="submit" value="Sign In" class="wikiaction" /> <input type="submit" value="Cancel" name="auth[cancel]" class="button" /> </td></tr>
    </table>

    <input type="hidden" name="auth[require_level]" value="0" />
    <input type="hidden" name="auth[login]" value="1" />
    <input type="hidden" name="action" value="edit" /><input type="hidden" name="pagename" value="CrinumHybrids" /></form>

    Is there something I can change so that pressing the "Cancel" button doesn't circumvent the password requirement? Thanks in advance.

     

    • Crinumaniac

      Crinumaniac - 2007-04-12

      Apologies for my mistake, it's not lib/WikiUser.php that was modified, but lib/WikiUser/BogoLogin.php, specifically the function checkPass($submitted_password).

      What used to be:

          if (isWikiWord($this-&gt;_userid) {
        $this-&gt;_level = WIKIAUTH_BOGO;
    } else {
        $this-&gt;_level = WIKIAUTH_ANON;
    }

      is now:

          if (isWikiWord($this-&gt;_userid) &amp;&amp;
        !empty($submitted_password) &amp;&amp;
        $submitted_password == BOGO_PASSWORD) {
        $this-&gt;_level = WIKIAUTH_BOGO;
    } else {
        $this-&gt;_level = WIKIAUTH_ANON;
    }

      This works if the user provides a WikiWord for the UserId and the group password defined by BOGO_PASSWORD and presses the "Sign In" button, but can still be circumvented by pressing the "Cancel" button. Note that ENABLE_USER_NEW = true in config.ini. Do you have any suggestions for any thing else I could try? Thanks!

       

    • Reini Urban

      Reini Urban - 2007-04-12

      auth[cancel] triggers a logic in main.php to clear all the auth tokens.

      If you use WikiUserNew.php and fixed WikiUser.php, be sure to set
      ENABLE_USER_NEW = false in your config.ini.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks