[geeklog-hg] geeklog: Security tokens now work with anonymous users (bug #000...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sat Apr 26 10:40:26 EDT 2014
changeset 9526:986772bab6f4
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/986772bab6f4
user: Tom
date: Sat Apr 26 10:40:07 2014 -0400
description:
Security tokens now work with anonymous users (bug #0001735)
diffstat:
system/lib-security.php | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
diffs (30 lines):
diff -r 5493cc8bf9fc -r 986772bab6f4 system/lib-security.php
--- a/system/lib-security.php Sat Apr 05 10:33:01 2014 -0400
+++ b/system/lib-security.php Sat Apr 26 10:40:07 2014 -0400
@@ -1380,10 +1380,12 @@
. " AND (ttl > 0)";
DB_query($sql);
- /* Destroy tokens for this user/url combination */
- $sql = "DELETE FROM {$_TABLES['tokens']} WHERE owner_id='{$uid}' AND urlfor='$pageURL'";
- DB_query($sql);
-
+ /* Destroy tokens for this user/url combination. Since annonymous user share same id do not delete */
+ if ($uid != 1) {
+ $sql = "DELETE FROM {$_TABLES['tokens']} WHERE owner_id = '{$uid}' AND urlfor= '$pageURL'";
+ DB_query($sql);
+ }
+
/* Create a token for this user/url combination */
/* NOTE: TTL mapping for PageURL not yet implemented */
$sql = "INSERT INTO {$_TABLES['tokens']} (token, created, owner_id, urlfor, ttl) "
@@ -1498,7 +1500,8 @@
* token is not expired.
* the http referer is the url for which the token was created.
*/
- if( $_USER['uid'] != $tokendata['owner_id'] ) {
+ $uid = isset($_USER['uid']) ? $_USER['uid'] : 1;
+ if ($uid != $tokendata['owner_id']) {
$return = false;
} else if($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']) {
$return = false;
More information about the geeklog-cvs
mailing list