[TYPO3-core] RFC: #7189: Bugfix: Processing of loginSecurityLevel in t3lib_userauth

Steffen Ritter info at rs-websystems.de
Mon Jan 21 11:01:45 CET 2008 

No Reviews by now?

Steffen Ritter schrieb:
> Steffen Kamper schrieb:
>> "Steffen Ritter" <info at rs-websystems.de> schrieb im Newsbeitrag 
>> news:mailman.1.1200572822.10691.typo3-team-core at lists.netfielders.de...
>>> Steffen Kamper schrieb:
>>>> "Steffen Ritter" <info at rs-websystems.de> schrieb im Newsbeitrag 
>>>> news:mailman.1.1200570989.23586.typo3-team-core at lists.netfielders.de...
>>>>> This is an SVN patch request.
>>>>>
>>>>> Type: Bugfix
>>>>>
>>>>> Bugtracker references:
>>>>> http://bugs.typo3.org/view.php?id=7189
>>>>>
>>>>> Branches:
>>>>> trunk
>>>>>
>>>>> Problem:
>>>>> t3lib_userauth::start() does not set t3_lib_userauth::security_level
>>>>> depending on a change of $TYPO3_CONF_VARS[FE/BE]['loginsecurityLevel']
>>>>> but t3lib_userauth::processLoginData() changes the array of loginData
>>>>> based upon this information.
>>>>> Due to this, Frontend Login with challenged oder superchallenged 
>>>>> mode is
>>>>> not possible, because $loginData['uident'] becomes cleared.
>>>>>
>>>>> Solution:
>>>>> adding:
>>>>> if ( $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] ) {
>>>>> $this->security_level =
>>>>> $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'];
>>>>> }
>>>>>
>>>>> to t3lib_userauth::start();
>>>>>
>>>>>
>>>>> Notes:
>>>>> Se Patch attached
>>>>>
>>>>> Greetings
>>>>>
>>>>> Steffen
>>>> Hi Steffen,
>>>>
>>>> in general i agree. but you have to account for prior settings, see 
>>>> comment above:
>>>> // set level to normal if not already set
>>>>
>>>> in this case you overwrite it.
>>>>
>>>> vg  Steffen
>>> Yes you're right. I did not think of this.
>>>
>>> Hardcoded it's set to normal. (Line 135).
>>> So
>>> // set level to normal if not already set
>>> $this->security_level = $this->security_level ? $this->security_level 
>>> : 'normal';
>>>
>>> does not have any effect.
>>>
>>> But you're right, the value can't be overwritten without cecking...
>>> Probably wie should change my if statement and ask
>>> if ( ($this->security_level=='normal') 
>>> &&$TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] )
>>>
>>> which would have the effect, that the value only is written over if 
>>> was not modified before.
>>>
>>> Greetings
>>
>> i would change it arround:
>>
>> if (!$this->security_level) {
>>   if ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel']) {
>>         $this->security_level = 
>> $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'];
>>   } else {
>>         $this->security_level = 'normal';
>>   }
>> }
>>
>> btw: it does not make sense in processLoginData to ask this value 
>> again, it should be replaced then with $this->security_level
>>
>> vg  Steffen
>>
> If we clear out the definition in line 135 this would be perfect.
> 
> I added a solution integrating this discussion.
> 
> Steffen
>

More information about the TYPO3-team-core mailing list