Blocked User + Persistent Successful Login Attempt

This forum is for reporting bugs in Joomla!. Please don't report problems with extensions in here.
Locked
drewgg
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Oct 30, 2008 7:27 pm

Blocked User + Persistent Successful Login Attempt

Post by drewgg » Tue Feb 28, 2012 5:11 pm

Description:

If a user's account is "blocked" (eg, they registered their account but haven't activated it yet)
and they attempt to log in with persistent login turned on (ie, "Remember Me")
and they used the correct username/password (ie, the logging attempt would have been successful if they weren't blocked)
then they will receive the E_NOLOGIN_BLOCKED message ("Login denied! Your account has either been blocked or you [...]") twice on the return page and will continue to receive the E_NOLOGIN_BLOCKED message (once) on every page they visit afterwards until the persistent login cookie is removed or expires.



Reported on:
Joomla 1.5.25



Classification:
Low



Affected functions:
Related files:
/libraries/joomla/application/application.php -> login()
/plugins/authentication/joomla.php -> onAuthenticate()



Steps to replicate:

(have cookies enabled on your browser)
1) Register a new user (do not validate) or block an existing one
2) Log in to that user using correct credentials and activating "remember me"
You should now see the "Login denied! Your account has either been blocked..." error message twice.
3) Click one other pages on the site, you should see the "Login denied! Your account has either been blocked..." error message on every page.



Analysis:
The /plugins/authentication/joomla.php->onAuthenticate() method only checks that the username exists and that the password is valid for that username. Because of that, a blocked user who attempts to log with correct credentials is successfully authenticated. When persistent login is enabled a cookie is created in /libraries/joomla/application/application.php->login() to log the user back in each time the page is loaded (including for blocked accounts). However, since the user is blocked the login attempt fails and they receive the block message. This will continue until the cookie expires or is deleted.



Proposed fix(es):

My fix was to have /plugins/authentication/joomla.php -> onAuthenticate() check for the block status as one of the conditions of successful login:

original (line 73):

Code: Select all

		$query = 'SELECT `id`, `password`, `gid`'
			. ' FROM `#__users`'
			. ' WHERE username=' . $db->Quote( $credentials['username'] )
			;
change (add the `block` column to fields returned):

Code: Select all

		$query = 'SELECT `id`, `password`, `gid`, `block`'
			. ' FROM `#__users`'
			. ' WHERE username=' . $db->Quote( $credentials['username'] )
			;
original (line 81):

Code: Select all

		if($result)
		{
			$parts	= explode( ':', $result->password );
change (check the block status and return failure if 1):

Code: Select all

		if($result)
		{
			if($result->block==1) {
				$response->status = JAUTHENTICATE_STATUS_FAILURE;
				$response->error_message = 'User account is blocked';
				return;
			}
			$parts	= explode( ':', $result->password );
This solves the issue, but if onAuthentication() fails for any reason only one error message is sent to user ("E_LOGIN_AUTHENTICATE"). So I corrected this accordingly:

/libraries/joomla/application/application.php -> login()


original (line 595):

Code: Select all

		return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));
change:

Code: Select all

		if($response->error_message=="User account is blocked") {
			return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_NOLOGIN_BLOCKED'));
		} else {
			return JError::raiseWarning('SOME_ERROR_CODE', JText::_('E_LOGIN_AUTHENTICATE'));
		}


Topic / Artifact ID:
n/a



System info:
n/a
Top
Locked

Return to “Joomla! 1.5 Bug Reporting”