Fixed #13204: Flash can now use the session veriCode in the FE as well (Thanks to...
authorBenni Mack <benni.mack@typo3.org>
Sun, 21 Feb 2010 17:26:19 +0000 (17:26 +0000)
committerBenni Mack <benni.mack@typo3.org>
Sun, 21 Feb 2010 17:26:19 +0000 (17:26 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6946 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_beuserauth.php
t3lib/class.t3lib_userauth.php

index 25ba6d0..497cc33 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 2010-02-21  Benjamin Mack  <benni@typo3.org>
 
+       * Fixed #13204: Flash can now use the session veriCode in the FE as well (Thanks to Stephan Lucas and Steffen Ritter)
        * Fixed #12343: Installer - Missing message when creation of admin user fails due to missing data (Thanks to Marcus Krause)
        * Fixed #13423: Bug/Feature: Make ext_tables.sql syntax parsing more compliable (Thanks to Joachim Mathes)
        * Fixed #13201: Repots module - Use same install tool check for reports as used in About module (Thanks to Moreno Feltscher)
index cb3cfa3..85f48c8 100644 (file)
@@ -365,50 +365,6 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
        }
 
        /**
-        * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
-        * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
-        *
-        * @return      string
-        */
-       function veriCode()     {
-               return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
-       }
-
-
-       /**
-        * The session_id is used to find user in the database.
-        * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
-        * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
-        * then don't evaluate with the hashLockClause, as the client/browser is included in this hash
-        * and thus, the flash request would be rejected
-        *
-        * @return DB result object or false on error
-        * @access private
-        */
-       protected function fetchUserSessionFromDB() {
-               if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
-                       // if on the flash client, the veri code is valid, then the user session is fetched
-                       // from the DB without the hashLock clause
-                       if (t3lib_div::_GP('vC') == $this->veriCode()) {
-                               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
-                                               '*',
-                                               $this->session_table.','.$this->user_table,
-                                               $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
-                                                       AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
-                                                       AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
-                                                       '.$this->ipLockClause().'
-                                                       '.$this->user_where_clause()
-                               );
-                       } else {
-                               $dbres = false;
-                       }
-               } else {
-                       $dbres = parent::fetchUserSessionFromDB();
-               }
-               return $dbres;
-       }
-
-       /**
         * Determines whether a backend user is allowed to access the backend.
         *
         * The conditions are:
index 7967e11..c42beb6 100644 (file)
@@ -841,11 +841,33 @@ class t3lib_userAuth {
        /**
         * The session_id is used to find user in the database.
         * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
+        * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
+        * then don't evaluate with the hashLockClause, as the client/browser is included in this hash
+        * and thus, the flash request would be rejected
+        * 
         * @return DB result object or false on error
         * @access private
         */
        protected function fetchUserSessionFromDB() {
-               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+               
+               if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
+                       // if on the flash client, the veri code is valid, then the user session is fetched
+                       // from the DB without the hashLock clause
+                       if (t3lib_div::_GP('vC') == $this->veriCode()) {
+                               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                                               '*',
+                                               $this->session_table.','.$this->user_table,
+                                               $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
+                                                       AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
+                                                       AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
+                                                       '.$this->ipLockClause().'
+                                                       '.$this->user_where_clause()
+                               );
+                       } else {
+                               $dbres = false;
+                       }
+               } else {
+                       $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
                                        '*',
                                        $this->session_table.','.$this->user_table,
                                        $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
@@ -854,7 +876,8 @@ class t3lib_userAuth {
                                                '.$this->ipLockClause().'
                                                '.$this->hashLockClause().'
                                                '.$this->user_where_clause()
-               );
+                       );
+               }
                return $dbres;
        }
 
@@ -913,6 +936,16 @@ class t3lib_userAuth {
        }
 
        /**
+        * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
+        * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
+        *
+        * @return      string
+        */
+       public function veriCode() {
+               return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
+       }
+       
+       /**
         * This returns the where-clause needed to lock a user to a hash integer
         *
         * @return      string