Roundcubemail devel
parent: 27032fb8 | patch | commit | show whitespace
Aleksander Machniak
2012-09-18 d9921e4d3f6c24d041838d242d2ae8b474ceae36 
Don't store user password in database (#1486553)
2 files modified
32 ■■■■ changed files
plugins/http_authentication/http_authentication.php 26 ●●●● patch | view | raw | blame | history
plugins/http_authentication/package.xml 6 ●●●● patch | view | raw | blame | history 
 plugins/http_authentication/http_authentication.php


@@ -17,7 +17,6 @@


 */


class http_authentication extends rcube_plugin


{


  public $task = 'login|logout';




  function init()


  {


@@ -28,10 +27,19 @@




  function startup($args)


  {


    // change action to login


    if (empty($args['action']) && empty($_SESSION['user_id'])


        && !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW']))


        if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {


            $rcmail = rcmail::get_instance();


            $rcmail->add_shutdown_function(array('http_authentication', 'shutdown'));




            // handle login action


            if (empty($args['action']) && empty($_SESSION['user_id'])) {


      $args['action'] = 'login';


            }


            // Set user password in session (see shutdown() method for more info)


            else if (!empty($_SESSION['user_id']) && empty($_SESION['password'])) {


                $_SESSION['password'] = $rcmail->encrypt($_SERVER['PHP_AUTH_PW']);


            }


        }




    return $args;


  }


@@ -58,10 +66,18 @@


  function logout($args)


  {


    // redirect to configured URL in order to clear HTTP auth credentials


    if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER'] && ($url = rcmail::get_instance()->config->get('logout_url'))) {


        if (!empty($_SERVER['PHP_AUTH_USER']) && $args['user'] == $_SERVER['PHP_AUTH_USER']) {


            if ($url = rcmail::get_instance()->config->get('logout_url')) {


      header("Location: $url", true, 307);


    }


  }


    }




    function shutdown()


    {


        // There's no need to store password (even if encrypted) in session


        // We'll set it back on startup (#1486553)


        rcmail::get_instance()->session->remove('password');


    }


}






 plugins/http_authentication/package.xml


@@ -13,10 +13,10 @@


        <email>roundcube@gmail.com</email>


        <active>yes</active>


    </lead>


    <date>2011-11-21</date>


    <date>2012-09-18</date>


    <version>


        <release>1.4</release>


        <api>1.4</api>


        <release>1.5</release>


        <api>1.5</api>


    </version>


    <stability>


        <release>stable</release>