projects / fa-stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5382717)
Fixed GET continuation after timeot and logout page access without authorization.
authorJanusz Dobrowolski <janusz@frontaccounting.eu>
Tue, 15 Sep 2009 17:32:00 +0000 (17:32 +0000)
committerJanusz Dobrowolski <janusz@frontaccounting.eu>
Tue, 15 Sep 2009 17:32:00 +0000 (17:32 +0000)
CHANGELOG.txt patch | blob | history
access/login.php patch | blob | history
includes/prefs/userprefs.inc patch | blob | history
includes/session.inc patch | blob | history

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 77327d13ce5c290a994eb8cac4dea498f9160e16..cff0b998d3f8c954b707fbc990eccbe5d8e9fbb2 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -29,6 +29,10 @@ $ /includes/ui/ui_lists.inc
 ! Changed security roles in default COAs.
 $ /sql/en_US-demo.sql
   /sql/en_US-new.sql
+# Fixed GET call continuation after timeout and logout page access without authorization
+$ /access/login.php
+  /includes/session.inc
+  /includes/prefs/userprefs.inc
 
 14-Sep-2009 Joe Hunt
 ! Changed all numeric constants to the new defined constants. A huge task.
diff --git a/access/login.php b/access/login.php
index 759a732755cad0458024568c5f5d86c1315da0cf..38b418e6a96035502296e39e8869409f74ea802a 100644 (file)
--- a/access/login.php
+++ b/access/login.php
@@ -79,9 +79,7 @@ if (!$login_timeout) { // FA version info
 ?>
                        <tr>
                            <td colspan="2" rowspan="2">
-                                       <form action="<?php 
-                                               echo $login_timeout ? $_SERVER['PHP_SELF'] : $_SESSION['timeout']['uri'];
-                                       ?>" name="loginform" method="post">
+                                       <form action="<?php echo $_SESSION['timeout']['uri']; ?> " name="loginform" method="post">
                     <table width="346" border="0" cellpadding="0" cellspacing="0">
                                                <input type="hidden" id=ui_mode name="ui_mode" value="0">
                         <tr>
diff --git a/includes/prefs/userprefs.inc b/includes/prefs/userprefs.inc
index 62bfd7e637726f3d760ecae5b5487976043a80bf..76f82696aa9ffe3ac403af2e7be16a439385c7e8 100644 (file)
--- a/includes/prefs/userprefs.inc
+++ b/includes/prefs/userprefs.inc
@@ -42,6 +42,9 @@ class user_prefs
                        // set default values, used before login
                        global $dflt_lang;
                        
+                       $this->date_sep = 0;
+                       $this->tho_sep = 0;
+                       $this->dec_sep = 0;
                        $this->language = $dflt_lang;
                        $this->theme = 'default';
                        
diff --git a/includes/session.inc b/includes/session.inc
index a306acf063010cabf703a03599cc8dea2b684763..d6fc4a7fe0a616a4fee106e57aa5a8b6675c2368 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -103,8 +103,7 @@ function strip_quotes($data)
 function login_timeout()
 {
        // skip timeout on logout page
-       if ($_SESSION["wa_current_user"]->logged 
-                       && !strpos($_SERVER['PHP_SELF'], 'logout.php')) {
+       if ($_SESSION["wa_current_user"]->logged) {
                $tout = $_SESSION["wa_current_user"]->timeout;
                if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
                {
@@ -191,50 +190,52 @@ if (!isset($_SESSION["wa_current_user"]))
 
 set_global_connection();
 
-login_timeout();
+// logout.php is the only page we should have always 
+// accessable regardless of access level and current login status.
+if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 
-if (!$_SESSION["wa_current_user"]->logged_in())
-{
-       // Show login screen
-       if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
+       login_timeout();
+
+       if (!$_SESSION["wa_current_user"]->logged_in())
        {
-               if (strstr($_SERVER['PHP_SELF'], 'timeout.php') == false) 
+               // Show login screen
+               if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
+               {
                        $_SESSION['timeout'] = array( 'uri'=> $_SERVER['REQUEST_URI'],
                                'post' => $_POST);
 
-               if (!in_ajax()) {
-                       include($path_to_root . "/access/login.php");
+                       if (!in_ajax()) {
+                               include($path_to_root . "/access/login.php");
+                       } else {
+                               // ajax update of current page elements - open login window in popup
+                               // to not interfere with ajaxified page.
+                               $Ajax->popup($path_to_root . "/access/timeout.php");
+                       }
+                       exit;
                } else {
-                       // ajax update of current page elements - open login window in popup
-                       // to not interfere with ajaxified page.
-                       $Ajax->popup($path_to_root . "/access/timeout.php");
-               }
-               exit;
-       } else {
-               $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
-                       $_POST["user_name_entry_field"],
-                       md5($_POST["password"]));
-               // select full vs fallback ui mode on login
-               $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
-               if (!$succeed)
-               {
+                       $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
+                               $_POST["user_name_entry_field"], md5($_POST["password"]));
+                       // select full vs fallback ui mode on login
+                       $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
+                       if (!$succeed)
+                       {
                        // Incorrect password
-                       login_fail();
+                               login_fail();
+                       }
+                       $lang = &$_SESSION['language'];
+                       $lang->set_language($_SESSION['language']->code);
                }
-               $lang = &$_SESSION['language'];
-               $lang->set_language($_SESSION['language']->code);
        }
-}
 
-if (!isset($_SESSION["App"])) {
-       $_SESSION["App"] = new front_accounting();
-       $_SESSION["App"]->init();
-}
+       if (!isset($_SESSION["App"])) {
+               $_SESSION["App"] = new front_accounting();
+               $_SESSION["App"]->init();
+       }
 
 //----------------------------------------------------------------------------------------
 
-check_page_security($page_security);
-
+       check_page_security($page_security);
+}
 // POST vars cleanup needed for direct reuse.
 // We quote all values later with db_escape() before db update.
        $_POST = strip_quotes($_POST);
FrontAccounting stable branch