From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Tue, 15 Sep 2009 17:32:00 +0000 (+0000)
Subject: Fixed GET continuation after timeot and logout page access without authorization.
X-Git-Tag: v2.4.2~19^2~1240
X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=c31829537f02787dd94654820dd74168c054b8c4;p=fa-stable.git

Fixed GET continuation after timeot and logout page access without authorization.
---

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 77327d13..cff0b998 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -29,6 +29,10 @@ $ /includes/ui/ui_lists.inc
 ! Changed security roles in default COAs.
 $ /sql/en_US-demo.sql
   /sql/en_US-new.sql
+# Fixed GET call continuation after timeout and logout page access without authorization
+$ /access/login.php
+  /includes/session.inc
+  /includes/prefs/userprefs.inc
 
 14-Sep-2009 Joe Hunt
 ! Changed all numeric constants to the new defined constants. A huge task.
diff --git a/access/login.php b/access/login.php
index 759a7327..38b418e6 100644
--- a/access/login.php
+++ b/access/login.php
@@ -79,9 +79,7 @@ if (!$login_timeout) { // FA version info
 ?>
 		        <tr>
 		            <td colspan="2" rowspan="2">
-					<form action="<?php 
-						echo $login_timeout ? $_SERVER['PHP_SELF'] : $_SESSION['timeout']['uri'];
-					?>" name="loginform" method="post">
+					<form action="<?php echo $_SESSION['timeout']['uri']; ?> " name="loginform" method="post">
                     <table width="346" border="0" cellpadding="0" cellspacing="0">
 						<input type="hidden" id=ui_mode name="ui_mode" value="0">
                         <tr>
diff --git a/includes/prefs/userprefs.inc b/includes/prefs/userprefs.inc
index 62bfd7e6..76f82696 100644
--- a/includes/prefs/userprefs.inc
+++ b/includes/prefs/userprefs.inc
@@ -42,6 +42,9 @@ class user_prefs
 			// set default values, used before login
 			global $dflt_lang;
 			
+			$this->date_sep = 0;
+			$this->tho_sep = 0;
+			$this->dec_sep = 0;
 			$this->language = $dflt_lang;
 			$this->theme = 'default';
 			
diff --git a/includes/session.inc b/includes/session.inc
index a306acf0..d6fc4a7f 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -103,8 +103,7 @@ function strip_quotes($data)
 function login_timeout()
 {
 	// skip timeout on logout page
-	if ($_SESSION["wa_current_user"]->logged 
-			&& !strpos($_SERVER['PHP_SELF'], 'logout.php')) {
+	if ($_SESSION["wa_current_user"]->logged) {
 		$tout = $_SESSION["wa_current_user"]->timeout;
 		if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
 		{
@@ -191,50 +190,52 @@ if (!isset($_SESSION["wa_current_user"]))
 
 set_global_connection();
 
-login_timeout();
+// logout.php is the only page we should have always 
+// accessable regardless of access level and current login status.
+if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 
-if (!$_SESSION["wa_current_user"]->logged_in())
-{
-	// Show login screen
-	if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
+	login_timeout();
+
+	if (!$_SESSION["wa_current_user"]->logged_in())
 	{
-		if (strstr($_SERVER['PHP_SELF'], 'timeout.php') == false) 
+		// Show login screen
+		if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
+		{
 			$_SESSION['timeout'] = array( 'uri'=> $_SERVER['REQUEST_URI'],
 				'post' => $_POST);
 
-		if (!in_ajax()) {
-			include($path_to_root . "/access/login.php");
+			if (!in_ajax()) {
+				include($path_to_root . "/access/login.php");
+			} else {
+				// ajax update of current page elements - open login window in popup
+				// to not interfere with ajaxified page.
+				$Ajax->popup($path_to_root . "/access/timeout.php");
+			}
+			exit;
 		} else {
-			// ajax update of current page elements - open login window in popup
-			// to not interfere with ajaxified page.
-			$Ajax->popup($path_to_root . "/access/timeout.php");
-		}
-		exit;
-	} else {
-		$succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
-			$_POST["user_name_entry_field"],
-			md5($_POST["password"]));
-		// select full vs fallback ui mode on login
-		$_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
-		if (!$succeed)
-		{
+			$succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
+				$_POST["user_name_entry_field"], md5($_POST["password"]));
+			// select full vs fallback ui mode on login
+			$_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
+			if (!$succeed)
+			{
 			// Incorrect password
-			login_fail();
+				login_fail();
+			}
+			$lang = &$_SESSION['language'];
+			$lang->set_language($_SESSION['language']->code);
 		}
-		$lang = &$_SESSION['language'];
-		$lang->set_language($_SESSION['language']->code);
 	}
-}
 
-if (!isset($_SESSION["App"])) {
-	$_SESSION["App"] = new front_accounting();
-	$_SESSION["App"]->init();
-}
+	if (!isset($_SESSION["App"])) {
+		$_SESSION["App"] = new front_accounting();
+		$_SESSION["App"]->init();
+	}
 
 //----------------------------------------------------------------------------------------
 
-check_page_security($page_security);
-
+	check_page_security($page_security);
+}
 // POST vars cleanup needed for direct reuse.
 // We quote all values later with db_escape() before db update.
 	$_POST = strip_quotes($_POST);