If a user's account is "blocked" (eg, they registered their account but haven't activated it yet)
and they attempt to log in with persistent login turned on (ie, "Remember Me")
and they used the correct username/password (ie, the logging attempt would have been successful if they weren't blocked)
then they will receive the E_NOLOGIN_BLOCKED message ("Login denied! Your account has either been blocked or you [...]") twice on the return page and will continue to receive the E_NOLOGIN_BLOCKED message (once) on every page they visit afterwards until the persistent login cookie is removed or expires.
Reported on:
Joomla 1.5.25
Classification:
Low
Affected functions:
Related files:
/libraries/joomla/application/application.php -> login()
/plugins/authentication/joomla.php -> onAuthenticate()
Steps to replicate:
(have cookies enabled on your browser)
1) Register a new user (do not validate) or block an existing one
2) Log in to that user using correct credentials and activating "remember me"
You should now see the "Login denied! Your account has either been blocked..." error message twice.
3) Click one other pages on the site, you should see the "Login denied! Your account has either been blocked..." error message on every page.
Analysis:
The /plugins/authentication/joomla.php->onAuthenticate() method only checks that the username exists and that the password is valid for that username. Because of that, a blocked user who attempts to log with correct credentials is successfully authenticated. When persistent login is enabled a cookie is created in /libraries/joomla/application/application.php->login() to log the user back in each time the page is loaded (including for blocked accounts). However, since the user is blocked the login attempt fails and they receive the block message. This will continue until the cookie expires or is deleted.
Proposed fix(es):
My fix was to have /plugins/authentication/joomla.php -> onAuthenticate() check for the block status as one of the conditions of successful login:
original (line 73):
Code: Select all
$query = 'SELECT `id`, `password`, `gid`'
. ' FROM `#__users`'
. ' WHERE username=' . $db->Quote( $credentials['username'] )
;
Code: Select all
$query = 'SELECT `id`, `password`, `gid`, `block`'
. ' FROM `#__users`'
. ' WHERE username=' . $db->Quote( $credentials['username'] )
;
Code: Select all
if($result)
{
$parts = explode( ':', $result->password );
Code: Select all
if($result)
{
if($result->block==1) {
$response->status = JAUTHENTICATE_STATUS_FAILURE;
$response->error_message = 'User account is blocked';
return;
}
$parts = explode( ':', $result->password );
/libraries/joomla/application/application.php -> login()
original (line 595):
Code: Select all
return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));
Code: Select all
if($response->error_message=="User account is blocked") {
return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_NOLOGIN_BLOCKED'));
} else {
return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));
}
Topic / Artifact ID:
n/a
System info:
n/a