[BUGFIX] Fix security level "normal" for backend login
authorHelmut Hummel <helmut.hummel@typo3.org>
Sat, 20 Aug 2011 17:02:45 +0000 (19:02 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sun, 21 Aug 2011 15:29:53 +0000 (17:29 +0200)
Only change the object property to something different than "superchallenged"
if the configuration is not set to a "standard" security level.

Resolves: #29130
Releases: 4.6, 4.5, 4.4, 4.3

Change-Id: Ibf1194d04a7159ade9ef33701e92930f98cfb90e
Reviewed-on: http://review.typo3.org/4439
Reviewed-by: Philipp Gampe
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
t3lib/class.t3lib_beuserauth.php

index ef1efa4..7990df0 100644 (file)
@@ -140,7 +140,21 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
         */
        function start() {
                $securityLevel = trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']);
-               $this->security_level = $securityLevel ? $securityLevel : 'superchallenged';
+               $standardSecurityLevels = array('normal', 'challenged', 'superchallenged');
+
+                       // No challenge is stored in the session if security level is normal
+               if ($securityLevel === 'normal') {
+                       $this->challengeStoredInCookie = FALSE;
+               }
+
+                       // The TYPO3 standard login service relies on $this->security_level being set
+                       // to 'superchallenged' because of the password in the database is stored as md5 hash
+                       // @see t3lib_userauth::processLoginData()
+               if (!empty($securityLevel) && !in_array($securityLevel, $standardSecurityLevels)) {
+                       $this->security_level = $securityLevel;
+               } else {
+                       $this->security_level = 'superchallenged';
+               }
 
                parent::start();
        }