Commit ce3542d8 authored by Gábor Hojtsy's avatar Gábor Hojtsy
Browse files

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user...

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user login tasks, such as session id regeneration were not performed in all cases, so centralize this
parent 05000841
...@@ -1114,7 +1114,7 @@ function install_configure_form_submit($form, &$form_state) { ...@@ -1114,7 +1114,7 @@ function install_configure_form_submit($form, &$form_state) {
$merge_data = array('init' => $form_state['values']['mail'], 'roles' => array(), 'status' => 1); $merge_data = array('init' => $form_state['values']['mail'], 'roles' => array(), 'status' => 1);
user_save($account, array_merge($form_state['values'], $merge_data)); user_save($account, array_merge($form_state['values'], $merge_data));
// Log in the first user. // Log in the first user.
user_authenticate($form_state['values']['name'], trim($form_state['values']['pass'])); user_authenticate($form_state['values']);
$form_state['values'] = $form_state['old_values']; $form_state['values'] = $form_state['old_values'];
unset($form_state['old_values']); unset($form_state['old_values']);
variable_set('user_email_verification', TRUE); variable_set('user_email_verification', TRUE);
......
...@@ -507,7 +507,7 @@ function blogapi_error($message) { ...@@ -507,7 +507,7 @@ function blogapi_error($message) {
function blogapi_validate_user($username, $password) { function blogapi_validate_user($username, $password) {
global $user; global $user;
$user = user_authenticate($username, $password); $user = user_authenticate(array('name' => $username, 'pass' => $password));
if ($user->uid) { if ($user->uid) {
if (user_access('edit own blog', $user)) { if (user_access('edit own blog', $user)) {
......
...@@ -1238,8 +1238,6 @@ function user_login_default_validators() { ...@@ -1238,8 +1238,6 @@ function user_login_default_validators() {
/** /**
* A FAPI validate handler. Sets an error is supplied username has been blocked or denied access. * A FAPI validate handler. Sets an error is supplied username has been blocked or denied access.
*
* @return void
*/ */
function user_login_name_validate($form, &$form_state) { function user_login_name_validate($form, &$form_state) {
if (isset($form_state['values']['name'])) { if (isset($form_state['values']['name'])) {
...@@ -1259,7 +1257,7 @@ function user_login_name_validate($form, &$form_state) { ...@@ -1259,7 +1257,7 @@ function user_login_name_validate($form, &$form_state) {
* against local users table. If successful, sets the global $user object. * against local users table. If successful, sets the global $user object.
*/ */
function user_login_authenticate_validate($form, &$form_state) { function user_login_authenticate_validate($form, &$form_state) {
user_authenticate($form_state['values']['name'], trim($form_state['values']['pass'])); user_authenticate($form_state['values']);
} }
/** /**
...@@ -1277,18 +1275,45 @@ function user_login_final_validate($form, &$form_state) { ...@@ -1277,18 +1275,45 @@ function user_login_final_validate($form, &$form_state) {
/** /**
* Try to log in the user locally. * Try to log in the user locally.
* *
* @param $form_values
* Form values with at least 'name' and 'pass' keys, as well as anything else
* which should be passed along to hook_user op 'login'.
*
* @return * @return
* A $user object, if successful. * A $user object, if successful.
*/ */
function user_authenticate($name, $pass) { function user_authenticate($form_values = array()) {
global $user; global $user;
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) { // Name and pass keys are required.
if (!empty($form_values['name']) && !empty($form_values['pass']) &&
$account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1))) {
$user = $account; $user = $account;
user_authenticate_finalize($form_values);
return $user; return $user;
} }
} }
/**
* Finalize the login process. Must be called when logging in a user.
*
* The function records a watchdog message about the new session, saves the
* login timestamp, calls hook_user op 'login' and generates a new session.
*
* $param $edit
* This array is passed to hook_user op login.
*/
function user_authenticate_finalize(&$edit) {
global $user;
watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
// Update the user table timestamp noting user has logged in.
// This is also used to invalidate one-time login links.
$user->login = time();
db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
user_module_invoke('login', $edit, $user);
sess_regenerate();
}
/** /**
* A validate handler on the login form. Update user's login timestamp, fire * A validate handler on the login form. Update user's login timestamp, fire
* hook_user('login), and generate new session ID. * hook_user('login), and generate new session ID.
...@@ -1296,14 +1321,6 @@ function user_authenticate($name, $pass) { ...@@ -1296,14 +1321,6 @@ function user_authenticate($name, $pass) {
function user_login_submit($form, &$form_state) { function user_login_submit($form, &$form_state) {
global $user; global $user;
if ($user->uid) { if ($user->uid) {
watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
// Update the user table timestamp noting user has logged in.
db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);
user_module_invoke('login', $form_state['values'], $user);
sess_regenerate();
$form_state['redirect'] = 'user/'. $user->uid; $form_state['redirect'] = 'user/'. $user->uid;
return; return;
} }
...@@ -2178,7 +2195,7 @@ function user_register_submit($form, &$form_state) { ...@@ -2178,7 +2195,7 @@ function user_register_submit($form, &$form_state) {
drupal_set_message(t('</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass))); drupal_set_message(t('</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass)));
} }
user_authenticate($account->name, trim($pass)); user_authenticate(array_merge($form_state['values'], $merge_data));
$form_state['redirect'] = 'user/1/edit'; $form_state['redirect'] = 'user/1/edit';
return; return;
...@@ -2192,7 +2209,7 @@ function user_register_submit($form, &$form_state) { ...@@ -2192,7 +2209,7 @@ function user_register_submit($form, &$form_state) {
else if (!variable_get('user_email_verification', TRUE) && $account->status && !$admin) { else if (!variable_get('user_email_verification', TRUE) && $account->status && !$admin) {
// No e-mail verification is required, create new user account, and login user immediately. // No e-mail verification is required, create new user account, and login user immediately.
_user_mail_notify('register_no_approval_required', $account); _user_mail_notify('register_no_approval_required', $account);
if (user_authenticate($account->name, trim($pass))) { if (user_authenticate(array_merge($form_state['values'], $merge_data))) {
drupal_set_message(t('Registration successful. You are now logged in.')); drupal_set_message(t('Registration successful. You are now logged in.'));
} }
$form_state['redirect'] = ''; $form_state['redirect'] = '';
......
...@@ -96,14 +96,11 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = ...@@ -96,14 +96,11 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action =
// First stage is a confirmation form, then login // First stage is a confirmation form, then login
if ($action == 'login') { if ($action == 'login') {
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
// Update the user table noting user has logged in. // Set the new user.
// And this also makes this hashed password a one-time-only login.
db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
// Now we can set the new user.
$user = $account; $user = $account;
// And proceed with normal login, going to user page. // user_authenticate_finalize() also updates the login timestamp of the
$edit = array(); // user, which invalidates further use of the one-time login link.
user_module_invoke('login', $edit, $user); user_authenticate_finalize($form_state['values']);
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
drupal_goto('user/'. $user->uid .'/edit'); drupal_goto('user/'. $user->uid .'/edit');
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment