From 2578e7637eb9a2fd72e3fffeff57edd29d6d0981 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 18 May 2016 14:53:11 +0200 Subject: [PATCH] (auth/gui) make gui auth fallback explicit (instead of silently accepting local) --- src/etc/inc/authgui.inc | 23 ++++++++++++++++++++--- src/www/system_usermanager_settings.php | 24 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 3 deletions(-) diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index e5a75e097..071e9880b 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -182,14 +182,31 @@ function session_auth(&$Login_Error) /* Validate incoming login request */ if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { + $authcfg = auth_get_authserver("Local Database"); + $authcfg_fallback = auth_get_authserver("Local Database"); + if (isset($config['system']['webgui']['authmode'])) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - } else { - $authcfg = null; } + + if (!empty($config['system']['webgui']['authmode_fallback'])) { + if ($config['system']['webgui']['authmode_fallback'] == "__NO_FALLBACK__") { + // no fallback + $authcfg_fallback = false; + } else { + $authcfg_fallback = auth_get_authserver($config['system']['webgui']['authmode_fallback']); + } + } + + if ($authcfg == $authcfg_fallback) { + // it doesn't make sense to fallback to the same authenticator + $authcfg_fallback = false; + } + // authenticate using config settings, or local if failed if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || - authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + ($authcfg_fallback !== false && authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg_fallback)) + ) { // Generate a new id to avoid session fixation session_regenerate_id(); $_SESSION['Logged_In'] = "True"; diff --git a/src/www/system_usermanager_settings.php b/src/www/system_usermanager_settings.php index d09c73516..b96437ada 100644 --- a/src/www/system_usermanager_settings.php +++ b/src/www/system_usermanager_settings.php @@ -35,6 +35,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig = array(); $pconfig['session_timeout'] = $config['system']['webgui']['session_timeout']; $pconfig['authmode'] = $config['system']['webgui']['authmode']; + $pconfig['authmode_fallback'] = !empty($config['system']['webgui']['authmode_fallback']) ? $config['system']['webgui']['authmode_fallback'] : "Local Database"; $pconfig['backend'] = $config['system']['webgui']['backend']; } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { $pconfig = $_POST; @@ -65,6 +66,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { unset($config['system']['webgui']['authmode']); } + if (!empty($pconfig['authmode_fallback'])) { + $config['system']['webgui']['authmode_fallback'] = $pconfig['authmode_fallback']; + } elseif (isset($config['system']['webgui']['authmode_fallback'])) { + unset($config['system']['webgui']['authmode_fallback']); + } + write_config(); } } @@ -123,6 +130,23 @@ endif;?> + + + + + +