Skip Menu |

This queue is for tickets about the Plack-Middleware-Auth-Form CPAN distribution.

Report information
The Basics
Id: 75899
Status: resolved
Priority: 0/
Queue: Plack-Middleware-Auth-Form
People
Owner: Nobody in particular
Requestors: cpan [...] sourcentral.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.010
Fixed in: (no value)

History Show all quoted text
  Tue Mar 20 02:36:18 2012 cpan [...] sourcentral.org - Ticket created
Subject: login form shown even if user is authorized
While playing around with Auth::Form I found that you get the login form even if you are authorized. It looks like $env->{user} is not a valid test to check if the user is authorized. The return of a single value is not a valid reponse, this means the invalid check saved you from error messages. The proposed fix is in auth-form-already.patch. I am not sure if it is better to have a 302 redirect if redir_to is set instead of a 200 "already logged in", that's up to you. For security reasons I propose another patch (auth-form- loginerror.patch) If a login is unsuccessful, user_id and remember attribute should be delete from session, so a login with wrong credentials is like a logout.
Subject: auth-form-loginerror.patch
--- /usr/share/perl5/vendor_perl/Plack/Middleware/Auth/Form.pm.orig 2011-08-04 21:59:06.000000000 +0200 +++ /usr/share/perl5/vendor_perl/Plack/Middleware/Auth/Form.pm 2012-03-20 06:58:30.246457008 +0100 @@ -84,7 +84,10 @@ [ Location => $redir_to ], [ $self->_wrap_body( "<a href=\"$redir_to\">Back</a>" ) ] ]; - } + } else { + delete $env->{'psgix.session'}{user_id}; + delete $env->{'psgix.session'}{remember}; + } } $env->{'psgix.session'}{redir_to} ||= $env->{HTTP_REFERER} || '/'; my $form = $self->_render_form(
Subject: auth-form-already.patch
--- /usr/share/perl5/vendor_perl/Plack/Middleware/Auth/Form.pm.orig 2011-08-04 21:59:06.000000000 +0200 +++ /usr/share/perl5/vendor_perl/Plack/Middleware/Auth/Form.pm 2012-03-20 07:02:22.506459016 +0100 @@ -59,8 +59,12 @@ ]; } my $params = Plack::Request->new( $env )->parameters; - if( defined $env->{user} ){ - return 'Already logged in'; + if( defined $env->{'psgix.session'}{user_id} ){ + return [ + 200, + [ 'Content-Type' => 'text/html', ], + [ $self->_wrap_body( 'Already logged in' ) ] + ]; } elsif( $env->{REQUEST_METHOD} eq 'POST' ){ my $user_id;
  Thu Mar 22 16:55:03 2012 zby [...] cpan.org - Correspondence added
Thanks a lot for the report! I've implemented the changes in: https://github.com/zby/Plack-Middleware-Auth- Form/commit/847f26a2e3a52cd410bed9d9bbce45e0e436853a and https://github.com/zby/Plack-Middleware-Auth- Form/commit/d36cf5af7ea9f132f238d09b187984a8b16ad7d7
  Thu Mar 22 16:55:04 2012 The RT System itself - Status changed from 'new' to 'open'
  Fri Apr 06 17:14:04 2012 zby [...] cpan.org - Correspondence added
The changes above are published in version 0.011.
  Fri Apr 06 17:14:04 2012 zby [...] cpan.org - Status changed from 'open' to 'resolved'