Project

General

Profile

Bug #18009 » t3lib_userauth2.diff

Administrator Admin, 2008-01-17 18:02

View differences:

class.t3lib_userauth.php (working copy)
var $formfield_uident = ''; // formfield with password
var $formfield_chalvalue = ''; // formfield with a unique value which is used to encrypt the password and username
var $formfield_status = ''; // formfield with status: *'login', 'logout'. If empty login is not verified.
var $security_level = 'normal'; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
var $security_level = ''; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
var $auth_include = ''; // this is the name of the include-file containing the login form. If not set, login CAN be anonymous. If set login IS needed.
......
// backend or frontend login - used for auth services
$this->loginType = ($this->name=='fe_typo_user') ? 'FE' : 'BE';
// set level to normal if not already set
$this->security_level = $this->security_level ? $this->security_level : 'normal';
// set level to normal if not already set
if (!$this->security_level) {
if ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel']) {
$this->security_level = $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'];
} else {
$this->security_level = 'normal';
}
}
// enable dev logging if set
if ($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['writeDevLog']) $this->writeDevLog = TRUE;
......
* @internal
*/
function processLoginData($loginData, $security_level='') {
global $TYPO3_CONF_VARS;
$loginSecurityLevel = $security_level ? $security_level : ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] ? $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] : $this->security_level);
$loginSecurityLevel = $security_level ? $security_level : $this->security_level;
// Processing data according to the state it was submitted in.
// ($loginSecurityLevel should reflect the security level used on the data being submitted in the login form)
......
$loginData['uident_text'] = $loginData['uident'];
$loginData['uident_challenged'] = (string)md5($loginData['uname'].':'.$loginData['uident'].':'.$loginData['chalvalue']);
$loginData['uident_superchallenged'] = (string)md5($loginData['uname'].':'.(md5($loginData['uident'])).':'.$loginData['chalvalue']);
$loginData['uident'] = $loginData['uident_text'];
} elseif ($loginSecurityLevel=='challenged') {
$loginData['uident_text'] = '';
$loginData['uident_challenged'] = $loginData['uident'];
$loginData['uident_superchallenged'] = '';
$loginData['uident'] = $loginData['uident_challenged'];
} elseif ($loginSecurityLevel=='superchallenged') {
$loginData['uident_text'] = '';
$loginData['uident_challenged'] = '';
$loginData['uident_superchallenged'] = $loginData['uident'];
}
// The password "uident" is set based on the internal security setting of TYPO3
// Example:
// $this->security_level for the backend must be "superchallenged" because passwords are stored as md5-hashes in the be_users table
// $this->security_level for the frontend must be "normal" or "challenged" because passwords are stored as clear-text in the fe_users tables
if ($this->security_level=='normal') {
$loginData['uident'] = $loginData['uident_text'];
} elseif ($this->security_level=='challenged') {
$loginData['uident'] = $loginData['uident_challenged'];
} elseif ($this->security_level=='superchallenged') {
$loginData['uident'] = $loginData['uident_superchallenged'];
}
return $loginData;
}
(2-2/3)