[TYPO3-core] FYI48: Fix bug #13410: saltedpasswords is not used if loginSecurityLevel is empty
Oliver Hader
oliver at typo3.org
Wed Feb 3 22:32:14 CET 2010
Hi Marcus,
Am 03.02.10 13:58, schrieb Marcus Krause:
> Am 03.02.2010 13:16, schrieb Oliver Hader:
>> This is an SVN patch request that will be committed to SVN after 48
>> hours if nobody objects.
>> Solution:
>> Use 'normal' as security level in saltedpasswords if the accordant
>> TYPO3_CONF_VARS setting is empty.
>
> Sorry, Olly. I don't think it's the right way.
>
> Throughout the Core, it's not consistent, what a empty value means.
>
> @see t3lib/class.t3lib_beuserauth.php l:152
> * empty value = superchallenged
>
> @see t3lib/class.t3lib_userauth.php l:205
> * empty value = normal
>
> @see t3lib/class.t3lib_userauth.php l:135,1098
> * empty value = normal
>
> @see t3lib/config_default.php l:213
> * empty value = superchallenged (default)???
>
> @see typo3/sysext/sv/class.tx_sv_loginformhook.php l:49,64
> * anything else than challenged,superchallenged,normal = UNKNOWN level
>
> @see typo3/backend.php l:346,349
> * empty value = superchallenged
>
> @see typo3/index.php l:110,143
> * empty value = superchallenged
>
> What a mess. ;-)
Well, only two possibilities: normal in FE and superchallenged in BE
It would be nice if the instance of t3lib_userauth (or any subclass like
t3lib_beuserauth) would forward the loginSecruityLevel to the auth
service like saltedpasswords. However, this is not possible for all of
the mentioned classes above.
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list