[ros-diffs] [cfinck] 33936: - Fix/unhack/simplify/rewrite the RosCMS authentication module for phpBB. This should finally fix all Login/Logout problems people were experiencing. - Don't do any RosCMS-related stuff in login_box(), this is all done in the Authentication module now. - Disable the phpBB autologin, it interferes with the RosCMS Login.

Author: cfinck Date: Wed Jun 11 15:02:19 2008 New Revision: 33936 URL: http://svn.reactos.org/svn/reactos?rev=33936&view=rev Log: - Fix/unhack/simplify/rewrite the RosCMS authentication module for phpBB. This should finally fix all Login/Logout problems people were experiencing. - Don't do any RosCMS-related stuff in login_box(), this is all done in the Authentication module now. - Disable the phpBB autologin, it interferes with the RosCMS Login. Modified: trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php trunk/web/reactos.org/htdocs/forum/includes/functions.php Modified: trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/forum/inclu… ============================================================================== --- trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php [iso-8859-1] (original) +++ trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php [iso-8859-1] Wed Jun 11 15:02:19 2008 @@ -12,52 +12,23 @@ exit; } +require_once("$phpbb_root_path/../roscms/inc/subsys_login.php"); + /** * Login function */ define(ROSCMS_DB_NAME, "roscms"); -function login_roscms(&$userid, &$password) +function login_roscms(&$username, &$password) { global $db, $config; - // We only check the User ID here. - if (!$userid) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - // Get the phpBB ID of the user belonging to the "roscmsusrkey" cookie - $sql = "SELECT m.map_subsys_userid " . - "FROM " . ROSCMS_DB_NAME . ".user_sessions s, " . ROSCMS_DB_NAME . ".users u, " . ROSCMS_DB_NAME . ".subsys_mappings m " . - "WHERE s.usersession_id = '" . $db->sql_escape($_COOKIE["roscmsusrkey"]) . "' AND (s.usersession_expires IS NULL OR NOW() <= s.usersession_expires) " . - "AND u.user_id = s.usersession_user_id AND (u.user_setting_ipaddress = 'false' OR s.usersession_ipaddress = '" . $db->sql_escape($_SERVER["REMOTE_ADDR"]) . "') " . - "AND (u.user_setting_browseragent = 'false' OR s.usersession_browseragent = '" . $db->sql_escape($_SERVER["HTTP_USER_AGENT"]) . "') " . - "AND m.map_roscms_userid = s.usersession_user_id " . - "AND m.map_subsys_name = 'phpbb'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + // We ignore both username and password here and retrieve the login data on our own using roscms_subsys_login + // This will either retrieve the phpbb user ID of the user currently logged in or redirect us to the RosCMS login page. + $userid = (int)roscms_subsys_login("phpbb", ROSCMS_LOGIN_REQUIRED, "/forum"); - // Verify this ID against $userid - if(!$row || $row["map_subsys_userid"] != $userid) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - // Now get the user information based on this ID - $sql = "SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts " . - "FROM " . USERS_TABLE . " " . - "WHERE user_id = " . (int)$userid; - + // Now get the user row based on this ID + $sql = "SELECT * FROM " . USERS_TABLE . " WHERE user_id = $userid"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); @@ -89,29 +60,38 @@ ); } +/* This function is called, when a session cookie already exists and we try to verify if it's valid. */ function validate_session_roscms(&$user) +{ + // Check if our current RosCMS login is (still) valid, check the session expiration time and perform session cleanups. + $valid_login = (roscms_subsys_login("phpbb", ROSCMS_LOGIN_OPTIONAL, "") != 0); + + // If we have a valid login, but the phpBB user ID is still ANONYMOUS, the user was logged in to RosCMS, but not yet to phpBB. + // So do that now. + if($valid_login && $user["user_id"] == ANONYMOUS) + login_box(); + + return $valid_login; +} + +/* This function is called, when no phpBB session exists and we're in the process of creating the session cookie. */ +function autologin_roscms() { global $db; - if($_COOKIE["roscmsusrkey"]) + // Get the User ID of the logged in user (if any), check the session expiration time and perform session cleanups. + $userid = (int)roscms_subsys_login("phpbb", ROSCMS_LOGIN_OPTIONAL, ""); + + if($userid) { - if($user["user_id"] == ANONYMOUS) - { - // The user is logged in in RosCMS, but not yet in phpBB. Do that now - login_box(); - } - else - { - // Update the session expiration time - $sql = "UPDATE " . ROSCMS_DB_NAME . ".user_sessions " . - "SET usersession_expires = DATE_ADD(NOW(), INTERVAL 30 MINUTE) " . - "WHERE usersession_id = '" . $db->sql_escape($_COOKIE["roscmsusrkey"]) . "' " . - "AND usersession_expires IS NOT NULL"; - $db->sql_query($sql); - } + // Return the phpBB user row if a user is logged in. + $sql = "SELECT * FROM " . USERS_TABLE . " WHERE user_id = $userid"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + return $row; } - - return true; } ?> Modified: trunk/web/reactos.org/htdocs/forum/includes/functions.php URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/forum/inclu… ============================================================================== --- trunk/web/reactos.org/htdocs/forum/includes/functions.php [iso-8859-1] (original) +++ trunk/web/reactos.org/htdocs/forum/includes/functions.php [iso-8859-1] Wed Jun 11 15:02:19 2008 @@ -15,8 +15,6 @@ { exit; } - -require_once("$phpbb_root_path/../roscms/inc/subsys_login.php"); // Common global functions @@ -2257,14 +2255,9 @@ } trigger_error('NO_AUTH_ADMIN'); } - - // Login using RosCMS - // The function will return the phpBB user ID if we're already logged in. - // Otherwise this function will be automatically called again through validate_session_roscms, when we will be redirected to the forum. - $userid = roscms_subsys_login("phpbb", ROSCMS_LOGIN_REQUIRED, "/forum"); - // If authentication is successful we redirect user to previous page - $result = $auth->login($userid, '', true, true, $admin); + // Don't pass anything here, login_roscms will call roscms_subsys_login on its own. + $result = $auth->login('', '', false, true, $admin); // If admin authentication and login, we will log if it was a success or not... // We also break the operation on the first non-success login - it could be argued that the user already knows