Commit ce3542d8 authored by Gábor Hojtsy's avatar Gábor Hojtsy

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user...

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user login tasks, such as session id regeneration were not performed in all cases, so centralize this
parent 05000841
......@@ -1114,7 +1114,7 @@ function install_configure_form_submit($form, &$form_state) {
$merge_data = array('init' => $form_state['values']['mail'], 'roles' => array(), 'status' => 1);
user_save($account, array_merge($form_state['values'], $merge_data));
// Log in the first user.
user_authenticate($form_state['values']['name'], trim($form_state['values']['pass']));
user_authenticate($form_state['values']);
$form_state['values'] = $form_state['old_values'];
unset($form_state['old_values']);
variable_set('user_email_verification', TRUE);
......
......@@ -507,7 +507,7 @@ function blogapi_error($message) {
function blogapi_validate_user($username, $password) {
global $user;
$user = user_authenticate($username, $password);
$user = user_authenticate(array('name' => $username, 'pass' => $password));
if ($user->uid) {
if (user_access('edit own blog', $user)) {
......
......@@ -1238,8 +1238,6 @@ function user_login_default_validators() {
/**
* A FAPI validate handler. Sets an error is supplied username has been blocked or denied access.
*
* @return void
*/
function user_login_name_validate($form, &$form_state) {
if (isset($form_state['values']['name'])) {
......@@ -1259,7 +1257,7 @@ function user_login_name_validate($form, &$form_state) {
* against local users table. If successful, sets the global $user object.
*/
function user_login_authenticate_validate($form, &$form_state) {
user_authenticate($form_state['values']['name'], trim($form_state['values']['pass']));
user_authenticate($form_state['values']);
}
/**
......@@ -1277,18 +1275,45 @@ function user_login_final_validate($form, &$form_state) {
/**
* Try to log in the user locally.
*
* @param $form_values
* Form values with at least 'name' and 'pass' keys, as well as anything else
* which should be passed along to hook_user op 'login'.
*
* @return
* A $user object, if successful.
*/
function user_authenticate($name, $pass) {
function user_authenticate($form_values = array()) {
global $user;
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
// Name and pass keys are required.
if (!empty($form_values['name']) && !empty($form_values['pass']) &&
$account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1))) {
$user = $account;
user_authenticate_finalize($form_values);
return $user;
}
}
/**
* Finalize the login process. Must be called when logging in a user.
*
* The function records a watchdog message about the new session, saves the
* login timestamp, calls hook_user op 'login' and generates a new session.
*
* $param $edit
* This array is passed to hook_user op login.
*/
function user_authenticate_finalize(&$edit) {
global $user;
watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
// Update the user table timestamp noting user has logged in.
// This is also used to invalidate one-time login links.
$user->login = time();
db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
user_module_invoke('login', $edit, $user);
sess_regenerate();
}
/**
* A validate handler on the login form. Update user's login timestamp, fire
* hook_user('login), and generate new session ID.
......@@ -1296,14 +1321,6 @@ function user_authenticate($name, $pass) {
function user_login_submit($form, &$form_state) {
global $user;
if ($user->uid) {
watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
// Update the user table timestamp noting user has logged in.
db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);
user_module_invoke('login', $form_state['values'], $user);
sess_regenerate();
$form_state['redirect'] = 'user/'. $user->uid;
return;
}
......@@ -2178,7 +2195,7 @@ function user_register_submit($form, &$form_state) {
drupal_set_message(t('</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass)));
}
user_authenticate($account->name, trim($pass));
user_authenticate(array_merge($form_state['values'], $merge_data));
$form_state['redirect'] = 'user/1/edit';
return;
......@@ -2192,7 +2209,7 @@ function user_register_submit($form, &$form_state) {
else if (!variable_get('user_email_verification', TRUE) && $account->status && !$admin) {
// No e-mail verification is required, create new user account, and login user immediately.
_user_mail_notify('register_no_approval_required', $account);
if (user_authenticate($account->name, trim($pass))) {
if (user_authenticate(array_merge($form_state['values'], $merge_data))) {
drupal_set_message(t('Registration successful. You are now logged in.'));
}
$form_state['redirect'] = '';
......
......@@ -96,14 +96,11 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action =
// First stage is a confirmation form, then login
if ($action == 'login') {
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
// Update the user table noting user has logged in.
// And this also makes this hashed password a one-time-only login.
db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
// Now we can set the new user.
// Set the new user.
$user = $account;
// And proceed with normal login, going to user page.
$edit = array();
user_module_invoke('login', $edit, $user);
// user_authenticate_finalize() also updates the login timestamp of the
// user, which invalidates further use of the one-time login link.
user_authenticate_finalize($form_state['values']);
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
drupal_goto('user/'. $user->uid .'/edit');
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment