Bug #18009 » t3lib_userauth2.diff
class.t3lib_userauth.php (working copy) | ||
---|---|---|
var $formfield_uident = ''; // formfield with password
|
||
var $formfield_chalvalue = ''; // formfield with a unique value which is used to encrypt the password and username
|
||
var $formfield_status = ''; // formfield with status: *'login', 'logout'. If empty login is not verified.
|
||
var $security_level = 'normal'; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
|
||
var $security_level = ''; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
|
||
var $auth_include = ''; // this is the name of the include-file containing the login form. If not set, login CAN be anonymous. If set login IS needed.
|
||
... | ... | |
// backend or frontend login - used for auth services
|
||
$this->loginType = ($this->name=='fe_typo_user') ? 'FE' : 'BE';
|
||
// set level to normal if not already set
|
||
$this->security_level = $this->security_level ? $this->security_level : 'normal';
|
||
// set level to normal if not already set
|
||
if (!$this->security_level) {
|
||
if ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel']) {
|
||
$this->security_level = $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'];
|
||
} else {
|
||
$this->security_level = 'normal';
|
||
}
|
||
}
|
||
// enable dev logging if set
|
||
if ($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['writeDevLog']) $this->writeDevLog = TRUE;
|
||
... | ... | |
* @internal
|
||
*/
|
||
function processLoginData($loginData, $security_level='') {
|
||
global $TYPO3_CONF_VARS;
|
||
|
||
$loginSecurityLevel = $security_level ? $security_level : ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] ? $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] : $this->security_level);
|
||
$loginSecurityLevel = $security_level ? $security_level : $this->security_level;
|
||
// Processing data according to the state it was submitted in.
|
||
// ($loginSecurityLevel should reflect the security level used on the data being submitted in the login form)
|
||
... | ... | |
$loginData['uident_text'] = $loginData['uident'];
|
||
$loginData['uident_challenged'] = (string)md5($loginData['uname'].':'.$loginData['uident'].':'.$loginData['chalvalue']);
|
||
$loginData['uident_superchallenged'] = (string)md5($loginData['uname'].':'.(md5($loginData['uident'])).':'.$loginData['chalvalue']);
|
||
$loginData['uident'] = $loginData['uident_text'];
|
||
} elseif ($loginSecurityLevel=='challenged') {
|
||
$loginData['uident_text'] = '';
|
||
$loginData['uident_challenged'] = $loginData['uident'];
|
||
$loginData['uident_superchallenged'] = '';
|
||
$loginData['uident'] = $loginData['uident_challenged'];
|
||
} elseif ($loginSecurityLevel=='superchallenged') {
|
||
$loginData['uident_text'] = '';
|
||
$loginData['uident_challenged'] = '';
|
||
$loginData['uident_superchallenged'] = $loginData['uident'];
|
||
}
|
||
// The password "uident" is set based on the internal security setting of TYPO3
|
||
// Example:
|
||
// $this->security_level for the backend must be "superchallenged" because passwords are stored as md5-hashes in the be_users table
|
||
// $this->security_level for the frontend must be "normal" or "challenged" because passwords are stored as clear-text in the fe_users tables
|
||
if ($this->security_level=='normal') {
|
||
$loginData['uident'] = $loginData['uident_text'];
|
||
} elseif ($this->security_level=='challenged') {
|
||
$loginData['uident'] = $loginData['uident_challenged'];
|
||
} elseif ($this->security_level=='superchallenged') {
|
||
$loginData['uident'] = $loginData['uident_superchallenged'];
|
||
}
|
||
return $loginData;
|
||
}
|
||