[geeklog-hg] geeklog: Security tokens now work with anonymous users (bug #000...

[geeklog-cvs at lists.geeklog.net]

changeset 9526:986772bab6f4
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/986772bab6f4
user: Tom
date: Sat Apr 26 10:40:07 2014 -0400
description:
Security tokens now work with anonymous users (bug #0001735)

diffstat:

 system/lib-security.php |  13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diffs (30 lines):

diff -r 5493cc8bf9fc -r 986772bab6f4 system/lib-security.php
--- a/system/lib-security.php	Sat Apr 05 10:33:01 2014 -0400
+++ b/system/lib-security.php	Sat Apr 26 10:40:07 2014 -0400
@@ -1380,10 +1380,12 @@
            . " AND (ttl > 0)";                           
     DB_query($sql);
     
-    /* Destroy tokens for this user/url combination */
-    $sql = "DELETE FROM {$_TABLES['tokens']} WHERE owner_id='{$uid}' AND urlfor='$pageURL'";
-    DB_query($sql);
-    
+    /* Destroy tokens for this user/url combination. Since annonymous user share same id do not delete */
+    if ($uid != 1) {
+         $sql = "DELETE FROM {$_TABLES['tokens']} WHERE owner_id = '{$uid}' AND urlfor= '$pageURL'";
+         DB_query($sql);
+     }
+     
     /* Create a token for this user/url combination */
     /* NOTE: TTL mapping for PageURL not yet implemented */
     $sql = "INSERT INTO {$_TABLES['tokens']} (token, created, owner_id, urlfor, ttl) "
@@ -1498,7 +1500,8 @@
              *  token is not expired.
              *  the http referer is the url for which the token was created.
              */
-            if( $_USER['uid'] != $tokendata['owner_id'] ) {
+            $uid = isset($_USER['uid']) ? $_USER['uid'] : 1;
+            if ($uid != $tokendata['owner_id']) {             
                 $return = false;
             } else if($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']) {
                 $return = false;