[dokuwiki] Re: signing requests
- From: Robin Gareus <robin@xxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Tue, 07 Apr 2009 18:01:18 +0200
Robin Gareus wrote:
> Mikhail I. Izmestev wrote:
>> + $evdata = array(
>> + 'action' => $ACT,
>> + 'user' => $_REQUEST['u'],
>> + 'password' => $_REQUEST['p'],
>> + 'sticky' => $_REQUEST['r'],
>> + 'silent' => $_REQUEST['http_credentials'],
>> + );
>> + $evt = new Doku_Event('AUTH_LOGIN_CHECK',$ACT);
>>
>> May be $evdata instead $ACT must be used here?
>
> yes, you are quite right. Andy can you patch inc/auth.php:
>
> - $evt = new Doku_Event('AUTH_LOGIN_CHECK',$ACT);
> + $evt = new Doku_Event('AUTH_LOGIN_CHECK',$evdata);
>
> I did not notice this, because the OAuth-plugin does not use
> $event->data, only $event->preventDefault().
>
> To raise a bit of concern:
>
> Andy:
OOPS - I meant "@Andi:" - sorry to get your name wrong..
> What were your intentions passing a modifiable username&password
> along with the event, anyway?
>
> My original patch ( see
> //www.freelists.org/post/dokuwiki/signing-requests,3 ) did not
> include this.
>
> I don't see a good use-case for rewriting username&password from within
> an event hook. It will only inspire coders to /inject/ passwords via
> "AUTH_LOGIN_CHECK". Yet passwords should be handled via an
> inc/auth/*class.php
>
> IMHO this event should only react on tokens or signatures and directly
> set $_SERVER['REMOTE_USER']=$user; global $auth, $USERINFO;
> $USERINFO = $auth->getUserData($_SERVER['REMOTE_USER']);
>
> The problem with calling auth_login() is that it generates a session and
> doku_cookie, which should be left alone when authenticating a single
> request by signature.
>
> 2c,
> robin
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
