The Joomla! Forum ™



Forum rules


Forum Rules
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
PostPosted: Tue Feb 28, 2012 5:11 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Oct 30, 2008 7:27 pm
Posts: 159
Description:

If a user's account is "blocked" (eg, they registered their account but haven't activated it yet)
and they attempt to log in with persistent login turned on (ie, "Remember Me")
and they used the correct username/password (ie, the logging attempt would have been successful if they weren't blocked)
then they will receive the E_NOLOGIN_BLOCKED message ("Login denied! Your account has either been blocked or you [...]") twice on the return page and will continue to receive the E_NOLOGIN_BLOCKED message (once) on every page they visit afterwards until the persistent login cookie is removed or expires.



Reported on:
Joomla 1.5.25



Classification:
Low



Affected functions:
Related files:
/libraries/joomla/application/application.php -> login()
/plugins/authentication/joomla.php -> onAuthenticate()



Steps to replicate:

(have cookies enabled on your browser)
1) Register a new user (do not validate) or block an existing one
2) Log in to that user using correct credentials and activating "remember me"
You should now see the "Login denied! Your account has either been blocked..." error message twice.
3) Click one other pages on the site, you should see the "Login denied! Your account has either been blocked..." error message on every page.



Analysis:
The /plugins/authentication/joomla.php->onAuthenticate() method only checks that the username exists and that the password is valid for that username. Because of that, a blocked user who attempts to log with correct credentials is successfully authenticated. When persistent login is enabled a cookie is created in /libraries/joomla/application/application.php->login() to log the user back in each time the page is loaded (including for blocked accounts). However, since the user is blocked the login attempt fails and they receive the block message. This will continue until the cookie expires or is deleted.



Proposed fix(es):

My fix was to have /plugins/authentication/joomla.php -> onAuthenticate() check for the block status as one of the conditions of successful login:

original (line 73):
Code:
      $query = 'SELECT `id`, `password`, `gid`'
         . ' FROM `#__users`'
         . ' WHERE username=' . $db->Quote( $credentials['username'] )
         ;


change (add the `block` column to fields returned):
Code:
      $query = 'SELECT `id`, `password`, `gid`, `block`'
         . ' FROM `#__users`'
         . ' WHERE username=' . $db->Quote( $credentials['username'] )
         ;


original (line 81):
Code:
      if($result)
      {
         $parts   = explode( ':', $result->password );


change (check the block status and return failure if 1):
Code:
      if($result)
      {
         if($result->block==1) {
            $response->status = JAUTHENTICATE_STATUS_FAILURE;
            $response->error_message = 'User account is blocked';
            return;
         }
         $parts   = explode( ':', $result->password );


This solves the issue, but if onAuthentication() fails for any reason only one error message is sent to user ("E_LOGIN_AUTHENTICATE"). So I corrected this accordingly:

/libraries/joomla/application/application.php -> login()


original (line 595):
Code:
      return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));


change:
Code:
      if($response->error_message=="User account is blocked") {
         return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_NOLOGIN_BLOCKED'));
      } else {
         return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));
      }




Topic / Artifact ID:
n/a



System info:
n/a


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 



Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group