diff options
author | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-14 17:25:13 +0000 |
---|---|---|
committer | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-14 17:25:13 +0000 |
commit | a8d6a02d38e0726c917d02491a6ab29bef5f1e8a (patch) | |
tree | ad10f64cd370dbf0b3b7335d5acac42748719328 /engine | |
parent | 93c658d08d32503e1d84e7e736aa33e6d8a15d77 (diff) | |
download | elgg-a8d6a02d38e0726c917d02491a6ab29bef5f1e8a.tar.gz elgg-a8d6a02d38e0726c917d02491a6ab29bef5f1e8a.tar.bz2 |
user object needs to be loaded from database into session on each page in case the object has changed - this commit also handles a user who has been deleted with an active session
git-svn-id: http://code.elgg.org/elgg/trunk@3681 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/sessions.php | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index 7a6250afb..18a66f3ff 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -235,9 +235,6 @@ function authenticate($username, $password) { * 'username' and 'password' (cleartext). */ function pam_auth_userpass($credentials = NULL) { - $max_in_period = 3; // max 3 login attempts in - $period_length = 5; // 5 minutes - $periods = array(); if (is_array($credentials) && ($credentials['username']) && ($credentials['password'])) { if ($user = get_user_by_username($credentials['username'])) { @@ -247,7 +244,7 @@ function pam_auth_userpass($credentials = NULL) { return false; } - // User has been banned, so bin them. + // User has been banned, so prevent from logging in if ($user->isBanned()) { return false; } @@ -324,6 +321,7 @@ function reset_login_failure_count($user_guid) { * @return bool on exceeded limit. */ function check_rate_limit_exceeded($user_guid) { + // 5 failures in 5 minutes causes temporary block on logins $limit = 5; $user_guid = (int)$user_guid; $user = get_entity($user_guid); @@ -422,7 +420,7 @@ function login(ElggUser $user, $persistent = false) { function logout() { global $CONFIG; - if (isset($_SESSION['user'])) { + if (isset($_SESSION['user'])) { if (!trigger_elgg_event('logout','user',$_SESSION['user'])) { return false; } @@ -529,7 +527,19 @@ function session_init($event, $object_type, $object) { } } else { // we have a session and we have already checked the fingerprint - // no need to load user data because it should already be in the session + // reload the user object from database in case it has changed during the session + if ($user = get_user($_SESSION['guid'])) { + $_SESSION['user'] = $user; + $_SESSION['id'] = $user->getGUID(); + $_SESSION['guid'] = $_SESSION['id']; + $_SESSION['code'] = $_COOKIE['elggperm']; + } else { + // user must have been deleted with a session active + unset($_SESSION['user']); + unset($_SESSION['id']); + unset($_SESSION['guid']); + unset($_SESSION['code']); + } } if (isset($_SESSION['guid'])) { |