tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Fixed case where logging in with a session member ID that didn't exist in the database stopped you from being able to "Log in as someone else"

Browse Source 
MINOR Added test for the case where a member ID exists in the session, but doesn't exist in the DB



git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@75039 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sean Harvey 2009-04-23 07:37:36 +00:00 committed by Sam Minnee
parent 3674676225
commit 6cb8eca75f
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
security/MemberLoginForm.php
View File

@ -43,7 +43,16 @@ class MemberLoginForm extends LoginForm {
$backURL = Session::get('BackURL');
}
if($checkCurrentUser && Member::currentUserID()) {
// We assume if session is storing a member ID, that member exists in the DB
$sessMemberExistsInDB = true;
if($sessionMemberID = Member::currentUserID()) {
$sessMemberInDB = DataObject::get_by_id('Member', $sessionMemberID);
if(!($sessMemberInDB && $sessMemberInDB->exists())) {
$sessMemberExistsInDB = false;
}
}
if($checkCurrentUser && Member::currentUserID() && $sessMemberExistsInDB) {
$fields = new FieldSet(
new HiddenField("AuthenticationMethod", null, $this->authenticator_class, $this)
);

34
tests/security/SecurityTest.php
View File

@ -65,6 +65,40 @@ class SecurityTest extends FunctionalTest {
$this->session()->inst_set('loggedInAs', null);
}
function testMemberIDInSessionDoesntExistInDatabase() {
/* Log in with a Member ID that doesn't exist in the DB */
$this->session()->inst_set('loggedInAs', 500);
/* We're simulating a redirection because of a permission failure, so we need to set auto following */
$this->autoFollowRedirection = true;
/* Attempt to get into the admin section */
$this->get('admin');
$items = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm input.text');
/* We have 2 text inputs - one for email, and another for the password */
$this->assertEquals(count($items), 2, 'There are 2 inputs - one for email, another for password');
$member = DataObject::get_one('Member');
unset($items);
/* Now, log in with a Member ID that DOES exist in the DB */
$this->session()->inst_set('loggedInAs', $member->ID);
/* Attempt to get into the admin section */
$this->get('admin');
$items = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm input.text');
/* We have 2 text inputs - one for email, and another for the password */
$this->assertEquals(count($items), 2, 'There are 2 inputs - one for email, another for password');
/* Log the user out */
$this->session()->inst_set('loggedInAs', null);
}
function testExternalBackUrlRedirectionDisallowed() {
// Test internal relative redirect
$response = $this->doTestLoginForm('noexpiry@silverstripe.com', '1nitialPassword', 'testpage');