Sākums Izpētīt Palīdzība
Pierakstīties
iProspective
/
dolibarr
3
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

FIX Oauth login

Laurent Destailleur 1 gadu atpakaļ
vecāks
89c9651fde
revīzija
500381ab1a
4 mainītis faili ar 14 papildinājumiem un 5 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 1 0
      htdocs/core/login/functions_googleoauth.php
  2. 1 1
      htdocs/core/modules/oauth/google_oauthcallback.php
  3. 4 1
      htdocs/core/tpl/login.tpl.php
  4. 8 3
      htdocs/main.inc.php

+ 1 - 0
htdocs/core/login/functions_googleoauth.php
Parādīt failu 

@@ -115,6 +115,7 @@ function check_user_password_googleoauth($usertotest, $passwordtotest, $entityto
 
 
 			// If googleoauth_login has been set (by google_oauthcallback after a successfull OAUTH2 request on openid scope
 
 			if (!empty($_SESSION['googleoauth_receivedlogin']) && dol_verifyHash($conf->file->instance_unique_id.$usertotest, $_SESSION['googleoauth_receivedlogin'], '0')) {
 
+				dol_syslog("Login received by Google OAuth was validated by callback page and saved crypted into session. This login is ".$usertotest);
 
 				unset($_SESSION['googleoauth_receivedlogin']);
 
 				$login = $usertotest;
 
 			}

+ 1 - 1
htdocs/core/modules/oauth/google_oauthcallback.php
Parādīt failu 

@@ -153,7 +153,7 @@ if ($action == 'delete') {
 
 }
 
 
 if (!GETPOST('code')) {
 
-	dol_syslog("Page is called without code parameter defined");
 
+	dol_syslog("Page is called without the 'code' parameter defined");
 
 
 	// If we enter this page without 'code' parameter, it means we click on the link from login page and we want to get the redirect
 
 	// to the OAuth provider login page.

+ 4 - 1
htdocs/core/tpl/login.tpl.php
Parādīt failu 

@@ -74,10 +74,13 @@ if (preg_match('/'.preg_quote('core/modules/oauth', '/').'/', $php_self)) {
 
 	$php_self = DOL_URL_ROOT.'/index.php?mainmenu=home';
 
 }
 
 $php_self = preg_replace('/(\?|&|&)action=[^&]+/', '\1', $php_self);
 
+$php_self = preg_replace('/(\?|&|&)actionlogin=[^&]+/', '\1', $php_self);
 
+$php_self = preg_replace('/(\?|&|&)afteroauthloginreturn=[^&]+/', '\1', $php_self);
 
 $php_self = preg_replace('/(\?|&|&)username=[^&]*/', '\1', $php_self);
 
 $php_self = preg_replace('/(\?|&|&)entity=\d+/', '\1', $php_self);
 
 $php_self = preg_replace('/(\?|&|&)massaction=[^&]+/', '\1', $php_self);
 
 $php_self = preg_replace('/(\?|&|&)token=[^&]+/', '\1', $php_self);
 
+$php_self = preg_replace('/(&)+/', '&', $php_self);
 
 
 // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
 
 $arrayofjs = array(
 
@@ -375,7 +378,7 @@ if (isset($conf->file->main_authentication) && preg_match('/google/', $conf->fil
 
 	 */
 
 
 	print '<input type="hidden" name="beforeoauthloginredirect" id="beforeoauthloginredirect" value="">';
 
-	print '<a class="alogin" href="#" onclick="jQuery(\'#beforeoauthloginredirect\').val(\'google\'); $(this).closest(\'form\').submit();">';
 
+	print '<a class="alogin" href="#" onclick="console.log(\'Set beforeoauthloginredirect value\'); jQuery(\'#beforeoauthloginredirect\').val(\'google\'); $(this).closest(\'form\').submit(); return false;">';
 
 	print '<div class="loginbuttonexternal">';
 
 	print img_picto('', 'google', 'class="pictofixedwidth"');
 
 	print $langs->trans("LoginWith", "Google");

+ 8 - 3
htdocs/main.inc.php
Parādīt failu 

@@ -843,9 +843,13 @@ if (!defined('NOLOGIN')) {
 
 			// $authmode is an array for example: array('0'=>'dolibarr', '1'=>'googleoauth');
 
 			$oauthmodetotestarray = array('google');
 
 			foreach ($oauthmodetotestarray as $oauthmodetotest) {
 
-				if (in_array($oauthmodetotest.'oauth', $authmode) && GETPOST('beforeoauthloginredirect') != $oauthmodetotest) {
 
-					// If we did not click on the link to use OAuth authentication, we do not try it.
 
-					dol_syslog("User did not click on link for OAuth so we disable check using googleoauth");
 
+				if (in_array($oauthmodetotest.'oauth', $authmode)) {	// This is an authmode that is currently qualified. Do we have to remove it ?
 
+					// If we click on the link to use OAuth authentication or if we goes after callback return, we do nothing
 
+					if (GETPOST('beforeoauthloginredirect') == $oauthmodetotest || GETPOST('afteroauthloginreturn')) {
 
+						// TODO Use: if (GETPOST('beforeoauthloginredirect') == $oauthmodetotest || GETPOST('afteroauthloginreturn') == $oauthmodetotest) {
 
+						continue;
 
+					}
 
+					dol_syslog("User did not click on link for OAuth or is not on the OAuth return, so we disable check using ".$oauthmodetotest);
 
 					foreach ($authmode as $tmpkey => $tmpval) {
 
 						if ($tmpval == $oauthmodetotest.'oauth') {
 
 							unset($authmode[$tmpkey]);
 
@@ -855,6 +859,7 @@ if (!defined('NOLOGIN')) {
 
 				}
 
 			}
 
 
+			// Check login for all qualified modes in array $authmode.
 
 			$login = checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode);
 
 			if ($login === '--bad-login-validity--') {
 
 				$login = '';