[BUGFIX] Fix security level "normal" for backend login
authorHelmut Hummel <helmut.hummel@typo3.org>
Sat, 20 Aug 2011 17:02:45 +0000 (19:02 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sun, 21 Aug 2011 15:28:29 +0000 (17:28 +0200)
Only change the object property to something different than "superchallenged"
if the configuration is not set to a "standard" security level.

Resolves: #29130
Releases: 4.6, 4.5, 4.4, 4.3

Change-Id: Ibf1194d04a7159ade9ef33701e92930f98cfb90e
Reviewed-on: http://review.typo3.org/4452
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
t3lib/class.t3lib_beuserauth.php

index d6fbb5d..e071409 100644 (file)
@@ -138,7 +138,21 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
         */
        function start() {
                $securityLevel = trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']);
-               $this->security_level = $securityLevel ? $securityLevel : 'superchallenged';
+               $standardSecurityLevels = array('normal', 'challenged', 'superchallenged');
+
+                       // No challenge is stored in the session if security level is normal
+               if ($securityLevel === 'normal') {
+                       $this->challengeStoredInCookie = FALSE;
+               }
+
+                       // The TYPO3 standard login service relies on $this->security_level being set
+                       // to 'superchallenged' because of the password in the database is stored as md5 hash
+                       // @see t3lib_userauth::processLoginData()
+               if (!empty($securityLevel) && !in_array($securityLevel, $standardSecurityLevels)) {
+                       $this->security_level = $securityLevel;
+               } else {
+                       $this->security_level = 'superchallenged';
+               }
 
                parent::start();
        }
@@ -386,4 +400,4 @@ if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLA
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_beuserauth.php']);
 }
 
-?>
+?>
\ No newline at end of file