#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user...

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user login tasks, such as session id regeneration were not performed in all cases, so centralize this

#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user...
#152497 by JohnAlbin, bdragon, moshe weitzman, chx and myself: several user login tasks, such as session id regeneration were not performed in all cases, so centralize this
ce3542d8 · Gábor Hojtsy · 05000841 · ce3542d8 · ce3542d8 · ce3542d8
Commit ce3542d8 authored Dec 13, 2007 by Gábor Hojtsy
Showing with 38 additions and 24 deletions

install.php install.php +1 -1

blogapi.module modules/blogapi/blogapi.module +1 -1

user.module modules/user/user.module +32 -15

user.pages.inc modules/user/user.pages.inc +4 -7

No files found.
--- a/install.php
+++ b/install.php
@@ -1114,7 +1114,7 @@ function install_configure_form_submit($form, &$form_state) {
  $merge_data = array('init' => $form_state['values']['mail'], 'roles' => array(), 'status' => 1);
  user_save($account, array_merge($form_state['values'], $merge_data));
  // Log in the first user.
-  user_authenticate($form_state['values']['name'], trim($form_state['values']['pass']));
+  user_authenticate($form_state['values']);
  $form_state['values'] = $form_state['old_values'];
  unset($form_state['old_values']);
  variable_set('user_email_verification', TRUE);

--- a/modules/blogapi/blogapi.module
+++ b/modules/blogapi/blogapi.module
@@ -507,7 +507,7 @@ function blogapi_error($message) {
 function blogapi_validate_user($username, $password) {
  global $user;

-  $user = user_authenticate($username, $password);
+  $user = user_authenticate(array('name' => $username, 'pass' => $password));

  if ($user->uid) {
    if (user_access('edit own blog', $user)) {

--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1238,8 +1238,6 @@ function user_login_default_validators() {

 /**
 * A FAPI validate handler. Sets an error is supplied username has been blocked or denied access.
- *
- * @return void
 */
 function user_login_name_validate($form, &$form_state) {
  if (isset($form_state['values']['name'])) {
@@ -1259,7 +1257,7 @@ function user_login_name_validate($form, &$form_state) {
 * against local users table. If successful, sets the global $user object.
 */
 function user_login_authenticate_validate($form, &$form_state) {
-  user_authenticate($form_state['values']['name'], trim($form_state['values']['pass']));
+  user_authenticate($form_state['values']);
 }

 /**
@@ -1277,18 +1275,45 @@ function user_login_final_validate($form, &$form_state) {
 /**
 * Try to log in the user locally.
 *
+ * @param $form_values
+ *   Form values with at least 'name' and 'pass' keys, as well as anything else
+ *   which should be passed along to hook_user op 'login'.
+ *
 * @return
 *  A $user object, if successful.
 */
-function user_authenticate($name, $pass) {
+function user_authenticate($form_values = array()) {
  global $user;

-  if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
+  // Name and pass keys are required.
+  if (!empty($form_values['name']) && !empty($form_values['pass']) &&
+      $account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1))) {
    $user = $account;
+    user_authenticate_finalize($form_values);
    return $user;
  }
 }

+/**
+ * Finalize the login process. Must be called when logging in a user.
+ *
+ * The function records a watchdog message about the new session, saves the
+ * login timestamp, calls hook_user op 'login' and generates a new session.
+ *
+ * $param $edit
+ *   This array is passed to hook_user op login.
+ */
+function user_authenticate_finalize(&$edit) {
+  global $user;
+  watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
+  // Update the user table timestamp noting user has logged in.
+  // This is also used to invalidate one-time login links.
+  $user->login = time();
+  db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
+  user_module_invoke('login', $edit, $user);
+  sess_regenerate();
+}
+
 /**
 * A validate handler on the login form. Update user's login timestamp, fire
 * hook_user('login), and generate new session ID.
@@ -1296,14 +1321,6 @@ function user_authenticate($name, $pass) {
 function user_login_submit($form, &$form_state) {
  global $user;
  if ($user->uid) {
-    watchdog('user', 'Session opened for %name.', array('%name' => $user->name));
-
-    // Update the user table timestamp noting user has logged in.
-    db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $user->uid);
-
-    user_module_invoke('login', $form_state['values'], $user);
-
-    sess_regenerate();
    $form_state['redirect'] = 'user/'. $user->uid;
    return;
  }
@@ -2178,7 +2195,7 @@ function user_register_submit($form, &$form_state) {
      drupal_set_message(t('</p><p> Your password is <strong>%pass</strong>. You may change your password below.</p>', array('%pass' => $pass)));
    }

-    user_authenticate($account->name, trim($pass));
+    user_authenticate(array_merge($form_state['values'], $merge_data));

    $form_state['redirect'] = 'user/1/edit';
    return;
@@ -2192,7 +2209,7 @@ function user_register_submit($form, &$form_state) {
    else if (!variable_get('user_email_verification', TRUE) && $account->status && !$admin) {
      // No e-mail verification is required, create new user account, and login user immediately.
      _user_mail_notify('register_no_approval_required', $account);
-      if (user_authenticate($account->name, trim($pass))) {
+      if (user_authenticate(array_merge($form_state['values'], $merge_data))) {
        drupal_set_message(t('Registration successful. You are now logged in.'));
      }
      $form_state['redirect'] = '';

--- a/modules/user/user.pages.inc
+++ b/modules/user/user.pages.inc
@@ -96,14 +96,11 @@ function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action =
        // First stage is a confirmation form, then login
        if ($action == 'login') {
          watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
-          // Update the user table noting user has logged in.
-          // And this also makes this hashed password a one-time-only login.
-          db_query("UPDATE {users} SET login = %d WHERE uid = %d", time(), $account->uid);
-          // Now we can set the new user.
+          // Set the new user.
          $user = $account;
-          // And proceed with normal login, going to user page.
-          $edit = array();
-          user_module_invoke('login', $edit, $user);
+          // user_authenticate_finalize() also updates the login timestamp of the
+          // user, which invalidates further use of the one-time login link.
+          user_authenticate_finalize($form_state['values']);
          drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
          drupal_goto('user/'. $user->uid .'/edit');
        }