Permissions not working if login fails?

Author Message

Bruce Morrison

Tuesday 29 July 2003 6:16:46 pm

Using the latest stable version I'm creating a site that has a login box statically embedded in the pagelayout.tpl. The usr/login.tpl is only used to display error messages in the main content area {$module_result.content} and does not contain a login form.

The login box is replaced with the statement "You are loged in as ...." and a logout link when the user is logged in.

There are 2 sections 'public' and 'private' . Content under 'private' is only readable if logged in as a user from a specific role.

The current structure looks like:
Home 'public' section
About 'public' section
News 'private' section

The above structure is displayed with the following template code in pagelayout.tpl

<h3>Menu</h3>
<ul>
<li><a href="/">Home</a></li>
{let toplevel=fetch(content,list,
hash(parent_node_id,2,
sort_by,array(array(name,true()))
)
)
}
<ul>
{section loop=$toplevel}
<li><a href={$:item.url_alias|ezurl}>{$:item.name}</a></li>
{/section}
</ul>
</ul>
{/let}

Because of the permission restrictions "News" should only be visible IF the user is logged in.

If a correct login and password is entered, logging in and out works as expected.

I've come across the following issues, the first is pretty minor the other worries me somewhat.

1. If a Username is not entered $User:warning.bad_login variable is set to false indicating that login was successful.

To me this is quite limiting as the login has actually failed but there is no way of knowing why. (it failed because there was no username)

This is because of the following code in kernel/user/login.php starting at line 80

$user = false;
if ( $userLogin != '' )
{
$user = eZUser::loginUser( $userLogin, $userPassword );
if ( get_class( $user ) != 'ezuser' )
$loginWarning = true;
}

I think this should be extended to set $loginWarning = true if no username is entered and perhaps even adding an additional element to $User:warning to indicate why.

Any feedback is appreciated.

2. This item concerns me as it may indicate that the is a fundamental permissions issue.

When the login fails because either the username/password combination is not valid or no username is entered, restricted items (News) are displayed.

When clicking on the restricted link the correct "accessed denied" message is displayed as expected.

Sometimes when I login to the ez forums I see "Edit" buttons beside posts that are not mine. Clicking on them gives me the "access denied" message. (as described and "fixed?" in this bug http://ez.no/developer/ez_publish_3/bug_reports/edit_buttons_shown_when_they_should_not_be)

I am wondering if what I am seeing on my site is related to this behaviour.

Anyone have sites that that work in a similar manner that may be able to confirm this behaviour?

I'll try to get a public site up in the next 24 hours to be able to demonstrate this.

Cheers
Bruce
designIT

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Bruce Morrison

Thursday 07 August 2003 1:17:13 am

I have worked this out after much code searching :)

By default the user/login module/function is in the PolicyOmitList of site.ini . No permissions/policies are checked for user/login.

With the default templates & settings this is fine as these are setup to use a custom pagelayout.tpl that does not access any additional content.

If you use the setting LoginPage=embedded, the default pagelayout.tpl will be used and user/login.tpl is returned in {$module_result.content}

Now here is the kicker - If the login fails or the user is not redirected to another page, any fetches of content that are done in the pagelayout.tpl will be executed without any permissions applied and hence the "restricted" values being displayed in the menu when the login fails.

Hope this saves someone a few grey hairs.

Cheers
Bruce
designIT

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.