[BUGFIX] Authentication service respects deleted-flag 33/50333/13
authorMarc Willmann <mw@f7.de>
Mon, 24 Oct 2016 11:00:58 +0000 (13:00 +0200)
committerJan Helke <typo3@helke.de>
Tue, 25 Oct 2016 13:59:00 +0000 (15:59 +0200)
Avoids impossible logins due to wrong mappings to old
(deleted) users with the same username as a valid one.

Resolves: #78378
Releases: master

Change-Id: I74b09b036fdd264861509e236f62683b81ba7075
Reviewed-on: https://review.typo3.org/50333
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/sv/Tests/Functional/AuthenticationServiceTest.php [new file with mode: 0644]
typo3/sysext/sv/Tests/Functional/Fixtures/be_users.xml [new file with mode: 0644]

index d85124e..5d40381 100644 (file)
@@ -1636,7 +1636,8 @@ abstract class AbstractUserAuthentication
         $user = false;
         if ($username || $extraWhere) {
             $query = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($dbUser['table']);
-            $query->getRestrictions()->removeAll();
+            $query->getRestrictions()->removeAll()
+                ->add(GeneralUtility::makeInstance(DeletedRestriction::class));
 
             $constraints = array_filter([
                 QueryHelper::stripLogicalOperatorPrefix($dbUser['check_pid_clause']),
diff --git a/typo3/sysext/sv/Tests/Functional/AuthenticationServiceTest.php b/typo3/sysext/sv/Tests/Functional/AuthenticationServiceTest.php
new file mode 100644 (file)
index 0000000..9b5f50c
--- /dev/null
@@ -0,0 +1,63 @@
+<?php
+declare(strict_types=1);
+namespace TYPO3\CMS\Sv\Tests\Functional;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\Tests\FunctionalTestCase;
+use TYPO3\CMS\Sv\AuthenticationService;
+
+/**
+ * Testcase for class \TYPO3\CMS\Sv\AuthenticationService
+ */
+class AuthenticationServiceTest extends FunctionalTestCase
+{
+    /**
+     * @var AuthenticationService
+     */
+    protected $subject;
+
+    protected function setUp()
+    {
+        $this->subject = new AuthenticationService();
+        parent::setUp();
+        $this->importDataSet(ORIGINAL_ROOT . 'typo3/sysext/sv/Tests/Functional/Fixtures/be_users.xml');
+    }
+
+    /**
+     * @test
+     */
+    public function getUserReturnsOnlyNotDeletedRecords()
+    {
+        $this->subject->pObj = new BackendUserAuthentication();
+        $this->subject->login = [
+            'status' => 'login',
+            'uname' => 'test1',
+            'uident' => 'password',
+            'uident_text' => 'password',
+        ];
+        $this->subject->db_user = [
+            'table' => 'be_users',
+            'check_pid_clause' => '',
+            'enable_clause' => '',
+            'username_column' => 'username',
+        ];
+        $expected = [
+            'username' => 'test1',
+            'deleted' => 0
+        ];
+        $result = $this->subject->getUser();
+        $this->assertArraySubset($expected, $result);
+    }
+}
diff --git a/typo3/sysext/sv/Tests/Functional/Fixtures/be_users.xml b/typo3/sysext/sv/Tests/Functional/Fixtures/be_users.xml
new file mode 100644 (file)
index 0000000..09cf81f
--- /dev/null
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dataset>
+    <be_users>
+        <uid>1</uid>
+        <pid>1</pid>
+        <username>admin</username>
+        <deleted>0</deleted>
+    </be_users>
+    <be_users>
+        <uid>2</uid>
+        <pid>1</pid>
+        <username>test1</username>
+        <deleted>1</deleted>
+    </be_users>
+    <be_users>
+        <uid>3</uid>
+        <pid>1</pid>
+        <username>test1</username>
+        <deleted>0</deleted>
+    </be_users>
+</dataset>