Bug #33707

It is possible to authenticate with an expired account

Added by Patrick Pussar over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Must have
Category:
Security
Start date:
2012-02-06
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.3
Has patch:
No
Complexity:
no-brainer

Description

authenticationManager->authenticate() works even with expired account: account->getExpirationDate() is in the past.

#1

Updated by Patrick Pussar over 9 years ago

After some investigation I found out that this feature works actually, but only on day basis.
I would assumed that it would work also on Minute basis.

The query defined in AccountRepository.php just checks on day basis:
...
$query->greaterThan('expirationDate', new \DateTime('today'))
...

but I would assume this check:
$query->greaterThan('expirationDate', new \DateTime())

#2

Updated by Karsten Dambekalns over 9 years ago

  • Status changed from New to Accepted
  • Assignee set to Karsten Dambekalns
  • Target version set to 1.1
  • Complexity set to no-brainer
#3

Updated by Karsten Dambekalns over 9 years ago

  • Target version changed from 1.1 to 1.0.3
#4

Updated by Gerrit Code Review over 9 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/8926

#5

Updated by Gerrit Code Review over 9 years ago

Patch set 1 for branch FLOW3-1.0 has been pushed to the review server.
It is available at http://review.typo3.org/9129

#6

Updated by Karsten Dambekalns over 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF