Crinumaniac - 2007-04-17

We're using a slightly modified version 1.3.12 which has been changed so that BOGO_LOGIN requires a group password. The change was made in lib/WikiUser/BogoLogin.php, specifically the function checkPass($submitted_password).

What used to be:

if (isWikiWord($this->_userid) {
$this->_level = WIKIAUTH_BOGO;
} else {
$this->_level = WIKIAUTH_ANON;
}

is now:

if (isWikiWord($this->_userid) &&
!empty($submitted_password) &&
$submitted_password == BOGO_PASSWORD) {
$this->_level = WIKIAUTH_BOGO;
} else {
$this->_level = WIKIAUTH_ANON;
}

If the user provides a WikiWord for the UserId and the group password defined by BOGO_PASSWORD and presses the "Sign In" button they can login, but can't login by pressing the "Sign In" button if they don't provide a WikiWord for UserId and the group password. That's all great, but if they provide a WikiWord for the UserId and press the "Cancel" button instead of "Sign In", they can login and edit without providing any password.

We're using the the following settings in config/config.ini:

ALLOW_ANON_USER = true
ALLOW_ANON_EDIT = false
ALLOW_BOGO_LOGIN = true
ALLOW_USER_PASSWORDS = true
ENABLE_USER_NEW = true

Is there something I can change so that pressing the "Cancel" button doesn't circumvent the password requirement? Thanks in advance.