[TYPO3-core] FYI48: Fix bug #13410: saltedpasswords is not used if loginSecurityLevel is empty

Oliver Hader oliver at typo3.org
Wed Feb 3 22:32:14 CET 2010


Hi Marcus,

Am 03.02.10 13:58, schrieb Marcus Krause:
> Am 03.02.2010 13:16, schrieb Oliver Hader:
>> This is an SVN patch request that will be committed to SVN after 48
>> hours if nobody objects.
>> Solution:
>> Use 'normal' as security level in saltedpasswords if the accordant
>> TYPO3_CONF_VARS setting is empty.
> 
> Sorry, Olly. I don't think it's the right way.
> 
> Throughout the Core, it's not consistent, what a empty value means.
> 
> @see t3lib/class.t3lib_beuserauth.php l:152
> * empty value = superchallenged
> 
> @see t3lib/class.t3lib_userauth.php l:205
> * empty value = normal
> 
> @see t3lib/class.t3lib_userauth.php l:135,1098
> * empty value = normal
> 
> @see t3lib/config_default.php l:213
> * empty value = superchallenged (default)???
> 
> @see typo3/sysext/sv/class.tx_sv_loginformhook.php l:49,64
> * anything else than challenged,superchallenged,normal = UNKNOWN level
> 
> @see typo3/backend.php l:346,349
> * empty value = superchallenged
> 
> @see typo3/index.php l:110,143
> * empty value = superchallenged
> 
> What a mess. ;-)

Well, only two possibilities: normal in FE and superchallenged in BE

It would be nice if the instance of t3lib_userauth (or any subclass like
t3lib_beuserauth) would forward the loginSecruityLevel to the auth
service like saltedpasswords. However, this is not possible for all of
the mentioned classes above.

olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3


More information about the TYPO3-team-core mailing list