• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3804: TemplateLogin.pm doesn't return the error from the underlying PasswordManager

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

The TemplateLogin LoginManager doesn't return the error code from the underlying PasswordManager when the user is denied login. Here is a patch to change the banner to the error returned from the PasswordManager if there is one. Otherwise it will fallback to the normal "Invalid user/password".

This could be considered a security leak if the underlying PasswordManager doesn't return error messages that are generic when appropriate.

Specifically, I use it with my custom PasswordManager to tell the user they need to register if the LoginName -> WikiName conversion fails.

--- lib/TWiki/Client/TemplateLogin.pm   2007-03-03 06:45:57.000000000 -0800
+++ lib/TWiki/Client/TemplateLogin.pm   2007-03-23 15:20:13.000000000 -0700
@@ -129,6 +129,7 @@
     if( $loginName ) {
         my $passwordHandler = $twiki->{users}->{passwords};
         my $validation = $passwordHandler->checkPassword( $loginName, $loginPass );
+        my $error = $passwordHandler->error();

         if( $validation ) {
             $this->userLoggedIn( $loginName );
@@ -139,6 +140,8 @@
             # Redirect with passthrough
             $twikiSession->redirect($origurl, 1 );
             return;
+        } elsif ($error) {
+            $banner = $error;
         } else {
             $banner = $twiki->{templates}->expandTemplate('UNRECOGNISED_USER');
         }



Index: twikiplugins/PatternSkin/templates/login.pattern.tmpl
===================================================================
--- twikiplugins/PatternSkin/templates/login.pattern.tmpl   (revision 13247)
+++ twikiplugins/PatternSkin/templates/login.pattern.tmpl   (working copy)
@@ -87,6 +87,7 @@
 %TMPL:P{"passwordstep"}%
 <div class="twikiFormStep twikiLast">
 <input class="twikiSubmit" type="submit" value='%MAKETEXT{"Logon"}%' tabindex="3" />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </div><!-- /twikiFormStep-->
 </div><!-- /twikiFormSteps-->
 <literal>
@@ -94,7 +95,6 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 </form>
-
 %TMPL:P{"seealsonote"}%
 </div><!-- /twikiLogin-->
 </div><!-- /patternTopic-->%TMPL:END%
Index: twikiplugins/ClassicSkin/templates/login.classic.tmpl
===================================================================
--- twikiplugins/ClassicSkin/templates/login.classic.tmpl   (revision 13247)
+++ twikiplugins/ClassicSkin/templates/login.classic.tmpl   (working copy)
@@ -31,6 +31,7 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 <input type='submit' value='Logon' />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </form>
 <p />
 %TMPL:END%
Index: templates/login.tmpl
===================================================================
--- templates/login.tmpl   (revision 13247)
+++ templates/login.tmpl   (working copy)
@@ -24,6 +24,7 @@
 </literal>
 <input type="hidden" name="origurl" value="%ORIGURL%" />
 <input type='submit' value='Logon' />
+%IF{"$ERROR != ''" then="%BR% _Error: %ERROR%_"}%
 </form>
 <p />
 %TMPL:P{"topicinfo"}%
Index: lib/TWiki/Client/TemplateLogin.pm
===================================================================
--- lib/TWiki/Client/TemplateLogin.pm   (revision 13247)
+++ lib/TWiki/Client/TemplateLogin.pm   (working copy)
@@ -135,9 +135,12 @@
         $note = $twiki->{templates}->expandTemplate( 'NEW_USER_NOTE' );
     }
 
+    my $error = '';
+
     if( $loginName ) {
         my $passwordHandler = $twiki->{users}->{passwords};
         my $validation = $passwordHandler->checkPassword( $loginName, $loginPass );
+        $error = $passwordHandler->error();
 
         if( $validation ) {
             $this->userLoggedIn( $loginName );
@@ -156,9 +159,11 @@
     # TODO: add JavaScript password encryption in the template
     # to use a template)
     $origurl ||= '';
-    $tmpl =~ s/%ORIGURL%/$origurl/g;
-    $tmpl =~ s/%BANNER%/$banner/g;
-    $tmpl =~ s/%NOTE%/$note/g;
+#    $tmpl =~ s/%ORIGURL%/$origurl/g;
+#    $tmpl =~ s/%BANNER%/$banner/g;
+#    $tmpl =~ s/%NOTE%/$note/g;
+#    $tmpl =~ s/%ERROR%/$error/g;
+    $twiki->{prefs}->pushPreferenceValues('SESSION', {ORIGURL=>$origurl, BANNER=>$banner, NOTE=>$note, ERROR=>$error});
 
     $tmpl = $twiki->handleCommonTags( $tmpl, $web, $topic );
     $tmpl = $twiki->{renderer}->getRenderedVersion( $tmpl, '' );
Index: lib/TWiki/Users/HtPasswdUser.pm
===================================================================
--- lib/TWiki/Users/HtPasswdUser.pm   (revision 13247)
+++ lib/TWiki/Users/HtPasswdUser.pm   (working copy)
@@ -237,12 +237,6 @@
     return 0;
 }
 
-sub error {
-    my $this = shift;
-
-    return $this->{error};
-}
-
 sub getEmails {
     my( $this, $user ) = @_;
 
Index: lib/TWiki/Users/Password.pm
===================================================================
--- lib/TWiki/Users/Password.pm   (revision 13247)
+++ lib/TWiki/Users/Password.pm   (working copy)
@@ -47,6 +47,7 @@
     my( $class, $session ) = @_;
 
     my $this = bless( {}, $class );
+    $this->{error} = undef;
     $this->{session} = $session;
     return $this;
 }
@@ -93,6 +94,8 @@
 =cut
 
 sub checkPassword {
+    my $this = shift;
+    $this->{error} = undef;
     return 1;
 }
 
@@ -107,6 +110,8 @@
 =cut
 
 sub deleteUser {
+    my $this = shift;
+    $this->{error} = undef;
     return 1;
 }
 
@@ -165,7 +170,9 @@
 =cut
 
 sub error {
-    return '';
+    my $this = shift;
+
+    return $this->{error};
 }
 
 =pod


-- TWiki:Main.SvenDowideit - 26 Mar 2007

This seems a useful feature.

-- TWiki:Main.ArthurClemens - 03 Apr 2007

commited -- SD

Changed to Minor so it gets in the release note

-- TWiki:Main.KennethLavrsen - 28 Apr 2007

ItemTemplate
Summary TemplateLogin.pm doesn't return the error from the underlying PasswordManager
ReportedBy TWiki:Main.GordonTetlow
Codebase 4.1.2, ~twiki4
SVN Range TWiki-4.1.2, Fri, 23 Mar 2007, build 13210
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:13269
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r11 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback