[ros-diffs] [cfinck] 33936: - Fix/unhack/simplify/rewrite the RosCMS authentication module for phpBB. This should finally fix all Login/Logout problems people were experiencing. - Don't do any RosCMS-related stuff in login_box(), this is all done in the Authentication module now. - Disable the phpBB autologin, it interferes with the RosCMS Login.

Wed Jun 11 22:02:20 CEST 2008

Author: cfinck
Date: Wed Jun 11 15:02:19 2008
New Revision: 33936

URL: http://svn.reactos.org/svn/reactos?rev=33936&view=rev
Log:
- Fix/unhack/simplify/rewrite the RosCMS authentication module for phpBB.
  This should finally fix all Login/Logout problems people were experiencing.
- Don't do any RosCMS-related stuff in login_box(), this is all done in the Authentication module now.
- Disable the phpBB autologin, it interferes with the RosCMS Login.

Modified:
    trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php
    trunk/web/reactos.org/htdocs/forum/includes/functions.php

Modified: trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php
URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php?rev=33936&r1=33935&r2=33936&view=diff
==============================================================================

--- trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/forum/includes/auth/auth_roscms.php [iso-8859-1] Wed Jun 11 15:02:19 2008
@@ -12,52 +12,23 @@
 	exit;
 }
 
+require_once("$phpbb_root_path/../roscms/inc/subsys_login.php");
+
 /**
 * Login function
 */
 define(ROSCMS_DB_NAME, "roscms");
 
-function login_roscms(&$userid, &$password)
+function login_roscms(&$username, &$password)
 {
 	global $db, $config;
 	
-	// We only check the User ID here.
-	if (!$userid)
-	{
-		return array(
-			'status'	=> LOGIN_ERROR_USERNAME,
-			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
-			'user_row'	=> array('user_id' => ANONYMOUS),
-		);
-	}
-
-	// Get the phpBB ID of the user belonging to the "roscmsusrkey" cookie
-	$sql = "SELECT m.map_subsys_userid " .
-	       "FROM " . ROSCMS_DB_NAME . ".user_sessions s, " . ROSCMS_DB_NAME . ".users u, " . ROSCMS_DB_NAME . ".subsys_mappings m " .
-	       "WHERE s.usersession_id = '" . $db->sql_escape($_COOKIE["roscmsusrkey"]) . "' AND (s.usersession_expires IS NULL OR NOW() <= s.usersession_expires) " .
-	       "AND u.user_id = s.usersession_user_id AND (u.user_setting_ipaddress = 'false' OR s.usersession_ipaddress = '" . $db->sql_escape($_SERVER["REMOTE_ADDR"]) . "') " .
-	       "AND (u.user_setting_browseragent = 'false' OR s.usersession_browseragent = '" . $db->sql_escape($_SERVER["HTTP_USER_AGENT"]) . "') " .
-	       "AND m.map_roscms_userid = s.usersession_user_id " .
-	       "AND m.map_subsys_name = 'phpbb'";
-	$result = $db->sql_query($sql);
-	$row = $db->sql_fetchrow($result);
-	$db->sql_freeresult($result);
+	// We ignore both username and password here and retrieve the login data on our own using roscms_subsys_login
+	// This will either retrieve the phpbb user ID of the user currently logged in or redirect us to the RosCMS login page.
+	$userid = (int)roscms_subsys_login("phpbb", ROSCMS_LOGIN_REQUIRED, "/forum");
 	
-	// Verify this ID against $userid
-	if(!$row || $row["map_subsys_userid"] != $userid)
-	{
-		return array(
-			'status'	=> LOGIN_ERROR_USERNAME,
-			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
-			'user_row'	=> array('user_id' => ANONYMOUS),
-		);
-	}
-	
-	// Now get the user information based on this ID
-	$sql = "SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts " .
-	       "FROM " . USERS_TABLE . " " .
-	       "WHERE user_id = " . (int)$userid;
-	
+	// Now get the user row based on this ID
+	$sql = "SELECT * FROM " . USERS_TABLE . " WHERE user_id = $userid";
 	$result = $db->sql_query($sql);
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
@@ -89,29 +60,38 @@
 	);
 }
 
+/* This function is called, when a session cookie already exists and we try to verify if it's valid. */
 function validate_session_roscms(&$user)
+{
+	// Check if our current RosCMS login is (still) valid, check the session expiration time and perform session cleanups.
+	$valid_login = (roscms_subsys_login("phpbb", ROSCMS_LOGIN_OPTIONAL, "") != 0);
+	
+	// If we have a valid login, but the phpBB user ID is still ANONYMOUS, the user was logged in to RosCMS, but not yet to phpBB.
+	// So do that now.
+	if($valid_login && $user["user_id"] == ANONYMOUS)
+		login_box();
+	
+	return $valid_login;
+}
+
+/* This function is called, when no phpBB session exists and we're in the process of creating the session cookie. */
+function autologin_roscms()
 {
 	global $db;
 	
-	if($_COOKIE["roscmsusrkey"])
+	// Get the User ID of the logged in user (if any), check the session expiration time and perform session cleanups.
+	$userid = (int)roscms_subsys_login("phpbb", ROSCMS_LOGIN_OPTIONAL, "");
+	
+	if($userid)
 	{
-		if($user["user_id"] == ANONYMOUS)
-		{
-			// The user is logged in in RosCMS, but not yet in phpBB. Do that now
-			login_box();
-		}
-		else
-		{
-			// Update the session expiration time
-			$sql = "UPDATE " . ROSCMS_DB_NAME . ".user_sessions " .
-			       "SET usersession_expires = DATE_ADD(NOW(), INTERVAL 30 MINUTE) " .
-			       "WHERE usersession_id = '" . $db->sql_escape($_COOKIE["roscmsusrkey"]) . "' " .
-			       "AND usersession_expires IS NOT NULL";
-			$db->sql_query($sql);
-		}
+		// Return the phpBB user row if a user is logged in.
+		$sql = "SELECT * FROM " . USERS_TABLE . " WHERE user_id = $userid";
+		$result = $db->sql_query($sql);
+		$row = $db->sql_fetchrow($result);
+		$db->sql_freeresult($result);
+		
+		return $row;
 	}
-	
-	return true;
 }
 
 ?>

Modified: trunk/web/reactos.org/htdocs/forum/includes/functions.php
URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/forum/includes/functions.php?rev=33936&r1=33935&r2=33936&view=diff
==============================================================================
--- trunk/web/reactos.org/htdocs/forum/includes/functions.php [iso-8859-1] (original)
+++ trunk/web/reactos.org/htdocs/forum/includes/functions.php [iso-8859-1] Wed Jun 11 15:02:19 2008
@@ -15,8 +15,6 @@
 {
 	exit;
 }
-
-require_once("$phpbb_root_path/../roscms/inc/subsys_login.php");
 
 // Common global functions
 
@@ -2257,14 +2255,9 @@
 		}
 		trigger_error('NO_AUTH_ADMIN');
 	}
-
-	// Login using RosCMS
-	// The function will return the phpBB user ID if we're already logged in.
-	// Otherwise this function will be automatically called again through validate_session_roscms, when we will be redirected to the forum.
-	$userid = roscms_subsys_login("phpbb", ROSCMS_LOGIN_REQUIRED, "/forum");
 	
-	// If authentication is successful we redirect user to previous page
-	$result = $auth->login($userid, '', true, true, $admin);
+	// Don't pass anything here, login_roscms will call roscms_subsys_login on its own.
+	$result = $auth->login('', '', false, true, $admin);
 
 	// If admin authentication and login, we will log if it was a success or not...
 	// We also break the operation on the first non-success login - it could be argued that the user already knows

