SyuTingSong / phpliteadmin

Automatically exported from code.google.com/p/phpliteadmin
0 stars 0 forks source link

autologin on empty password #179

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
hello

what about adding autologin on empty password?

I did a patch, but not sure it is in a right place

regards

Original issue reported on code.google.com by ykoro...@gmail.com on 26 Feb 2013 at 9:19

Attachments:

GoogleCodeExporter commented 9 years ago
Hmm. Your patch is against the current development version 1.9.4 (rev. 341), but
I thought this was already possible in this version. Have you tried an empty 
password in this version (without your patch)? Worked for me.

Line 628 should do it:
        $this->authorized =
            // no password
            SYSTEMPASSWORD == '' ||

Original comment by crazy4ch...@gmail.com on 26 Feb 2013 at 9:52

GoogleCodeExporter commented 9 years ago
I use 1.9.4 and it waits for a POST.

I did a mistake with patch.. it was generated within 1.9.4. My bad...

here it is

Original comment by ykoro...@gmail.com on 26 Feb 2013 at 10:40

Attachments:

GoogleCodeExporter commented 9 years ago
$this->authorized is set by attemptGrant(), which is called only after POST

Original comment by ykoro...@gmail.com on 26 Feb 2013 at 10:44

GoogleCodeExporter commented 9 years ago
Hmm. I still don't see why autologin should not work without your patch.
Lets look at the code.
$auth = new Authorization();
-> Constructor called. This will set $auth->authorized=true because of line 628.
if (isset($_POST['logout']))
    $auth->revoke();
-> No logout, no call. Fine.
// check if user has attempted to log in
else if (isset($_POST['login']) && isset($_POST['password']))
    $auth->attemptGrant($_POST['password'], isset($_POST['remember']));
-> No login, no call.
if ($auth->isAuthorized())
-> returns $auth->authorized, which is still true. Fine.

So the Authorization class does not need an attemptGrant() called, if the 
password is empty.

So I think 1.9.4 allows auto-login without your patch. Why doesn't it work for 
you?

And I think it would be a bad idea to implement auto-login outside the 
Authorisation class.

(By the way, I think autologin is not possible in 1.9.3.x yet.)

Original comment by crazy4ch...@gmail.com on 26 Feb 2013 at 10:52

GoogleCodeExporter commented 9 years ago
really, it works! sorry, I'm noob

Original comment by ykoro...@gmail.com on 26 Feb 2013 at 10:55

GoogleCodeExporter commented 9 years ago
Okay, no problem. Thanks for confirming that it works ;-)

Original comment by crazy4ch...@gmail.com on 26 Feb 2013 at 10:58