ORGaccess cookie requires a secure environment. Move all cookie manipulation code...

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>

diff --git a/classes/platallogger.php b/classes/platallogger.php
index 462783b..47ea0a1 100644 (file)
--- a/classes/platallogger.php
+++ b/classes/platallogger.php
@@ -96,6 +96,9 @@ class PlatalLogger extends PlLogger
                      $this->uid, $this->session);
     }
 
+    public function isValid($uid) {
+        return $uid == $this->uid;
+    }
 
     /** Logs an action and its related data.
      *

diff --git a/classes/xorgsession.php b/classes/xorgsession.php
index 9683f31..93c81a0 100644 (file)
--- a/classes/xorgsession.php
+++ b/classes/xorgsession.php
@@ -197,7 +197,6 @@ class XorgSession extends PlSession
         }
         if ($level == AUTH_SUID) {
             S::set('auth', AUTH_MDP);
-            unset($_SESSION['log']);
         }
 
         // Retrieves main user properties.
@@ -230,13 +229,9 @@ class XorgSession extends PlSession
             Cookie::set('uid', $uid, 300);
 
             if (S::i('auth_by_cookie') == $uid || Post::v('remember', 'false') == 'true') {
-                Cookie::set('access', hash_encrypt($sess['password']), 300);
-                if (S::i('auth_by_cookie') != $uid) {
-                    $logger->log("cookie_on");
-                }
+                $this->setAccessCookie(false, S::i('auth_by_cookie') != $uid);
             } else {
-                Cookie::kill('access');
-                $logger->log("cookie_off");
+                $this->killAccessCookie();
             }
         }
 
@@ -331,6 +326,29 @@ class XorgSession extends PlSession
         $n = select_notifs(false, S::i('uid'), S::v('watch_last'), false);
         S::set('notifs', $n->numRows());
     }
+
+    public function setAccessCookie($replace = false, $log = true) {
+        if (S::has('suid') || ($replace && !Cookie::blank('access'))) {
+            return;
+        }
+        require_once('secure_hash.inc.php');
+        Cookie::set('access', hash_encrypt(S::v('password')), 300, true);
+        if ($log) {
+            S::logger()->log('cookie_on');
+        }
+    }
+
+    public function killAccessCookie($log = true) {
+        Cookie::kill('access');
+        if ($log) {
+            S::logger()->log('cookie_off');
+        }
+    }
+
+    public function killLoginFormCookies() {
+        Cookie::kill('uid');
+        Cookie::kill('domain');
+    }
 }
 
 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:

diff --git a/core b/core
index f09d331..7c8d702 160000 (submodule)
--- a/core
+++ b/core
@@ -1 +1 @@
-Subproject commit f09d3319de8a65f5eb11ce0e73a3dc08a72c4091
+Subproject commit 7c8d7022042ef34cbf8c16531a3b5eaecf46bfd2

diff --git a/modules/platal.php b/modules/platal.php
index dd08d3c..05b8caf 100644 (file)
--- a/modules/platal.php
+++ b/modules/platal.php
@@ -229,13 +229,8 @@ class PlatalModule extends PLModule
                 }
             }
 
-            $log =& S::v('log');
-            S::logger()->log('passwd', '');
-
-            if (Cookie::v('access')) {
-                Cookie::set('access', sha1($password), 300);
-                S::logger()->log('cookie_on', '');
-            }
+            S::logger()->log('passwd');
+            Platal::session()->setAccessCookie(true);
 
             $page->changeTpl('platal/motdepasse.success.tpl');
             $page->run();
@@ -440,17 +435,14 @@ Adresse de secours : " . Post::v('email') : ""));
         }
 
         if ($level == 'forget' || $level == 'forgetall') {
-            Cookie::kill('access');
-            S::logger()->log("cookie_off");
+            Platal::session()->killAccessCookie();
         }
 
         if ($level == 'forgetuid' || $level == 'forgetall') {
-            Cookie::kill('uid');
-            Cookie::kill('domain');
+            Platal::session()->killLoginFormCookies();
         }
 
-        $ref = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
-        S::logger()->log('deconnexion',$ref);
+        S::logger()->log('deconnexion', @$_SERVER['HTTP_REFERER']);
         Platal::session()->destroy();
 
         if (Get::has('redirect')) {

diff --git a/modules/register.php b/modules/register.php
index a491174..2654fd0 100644 (file)
--- a/modules/register.php
+++ b/modules/register.php
@@ -440,14 +440,8 @@ class RegisterModule extends PLModule
                 }
             }
 
-            $log = S::v('log');
-            S::logger()->log('passwd', '');
-
-            if (Cookie::v('access')) {
-                require_once('secure_hash.inc.php');
-                Cookie::set('access', hash_encrypt($password), 300);
-                S::logger()->log('cookie_on', '');
-            }
+            S::logger()->log('passwd');
+            Platal::session()->setAccessCookie(true);
 
             $page->assign('mdpok', true);
         }