From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 28 Mar 2011 09:03:43 +0000 (+0400)
Subject: only use autologin with SSL certificate when AUTO_LOGIN is enabled, otherwise redirec... 
X-Git-Tag: 1.5.3~102
X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=bf9fc06072f2dcd5b17aec1fe6a03b046236d360;p=tt-rss.git

only use autologin with SSL certificate when AUTO_LOGIN is enabled, otherwise redirect to login form as with remote auth
---

diff --git a/config.php-dist b/config.php-dist
index 26e8a02f..531ce20b 100644
--- a/config.php-dist
+++ b/config.php-dist
@@ -133,9 +133,12 @@
 	// used to integrate tt-rss with Apache's external authentication modules.
 
 	define('AUTO_LOGIN', false);
-	// Set this to true if you use ALLOW_REMOTE_USER_AUTH and you want
-	// to skip the login form. If set to true, users won't be able to
-	// set application language and settings profile.
+	// Set this to true if you use ALLOW_REMOTE_USER_AUTH or client SSL
+	// certificate authentication and you want to skip the login form. 
+	// If set to true, users won't be able to set application language 
+	// and settings profile.
+	// Otherwise users will be redirected to login form with their login
+	// information pre-filled.
 
 	define('LOCK_DIRECTORY', 'lock');
 	// Directory for lockfiles, must be writable to the user you run
diff --git a/functions.php b/functions.php
index dc162d7a..974e2b9a 100644
--- a/functions.php
+++ b/functions.php
@@ -1784,18 +1784,17 @@
 		return "";
 	}
 
-	function get_remote_user() {
-		$remote_user = "";
+	function get_remote_user($link) {
 
 		if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) {
-			$remote_user = $_SERVER["REMOTE_USER"];
+			return db_escape_string($_SERVER["REMOTE_USER"]);
 		}
 
-		return db_escape_string($remote_user);
+		return db_escape_string(get_login_by_ssl_certificate($link));
 	}
 
-	function get_remote_fakepass() {
-		if (get_remote_user())
+	function get_remote_fakepass($link) {
+		if (get_remote_user($link))
 			return "******";
 		else
 			return "";
@@ -1809,10 +1808,7 @@
 			$pwd_hash2 = encrypt_password($password, $login);
 			$login = db_escape_string($login);
 
-			$remote_user = get_remote_user();
-
-			if (!$remote_user)
-				$remote_user = get_login_by_ssl_certificate($link);
+			$remote_user = get_remote_user($link);
 
 			if ($remote_user && $login != "admin") {
 
@@ -2006,13 +2002,9 @@
 			}
 
 			if (!$_SESSION["uid"] || !validate_session($link)) {
-				$cert_login = get_login_by_ssl_certificate($link);
 
-				if ($cert_login) {
-				    authenticate_user($link, $cert_login, null);
-				    $_SESSION["ref_schema_version"] = get_schema_version($link, true);
-				} else if (get_remote_user() && AUTO_LOGIN) {
-				    authenticate_user($link, get_remote_user(), null);
+				if (get_remote_user($link) && AUTO_LOGIN) {
+				    authenticate_user($link, get_remote_user($link), null);
 				    $_SESSION["ref_schema_version"] = get_schema_version($link, true);
 				} else {
 				    render_login_form($link, $mobile);
diff --git a/login_form.php b/login_form.php
index 1dbc0054..5810c5ce 100644
--- a/login_form.php
+++ b/login_form.php
@@ -131,11 +131,11 @@ function validateLoginForm(f) {
 			<tr><td align="right"><?php echo __("Login:") ?></td>
 			<td align="right"><input name="login"
 				onchange="fetchProfiles()" onfocus="fetchProfiles()"
-				value="<?php echo get_remote_user() ?>"></td></tr>
+				value="<?php echo get_remote_user($link) ?>"></td></tr>
 			<tr><td align="right"><?php echo __("Password:") ?></td>
 			<td align="right"><input type="password" name="password"
 				onchange="fetchProfiles()" onfocus="fetchProfiles()"
-				value="<?php echo get_remote_fakepass() ?>"></td></tr>
+				value="<?php echo get_remote_fakepass($link) ?>"></td></tr>
 			<tr><td align="right"><?php echo __("Language:") ?></td>
 			<td align="right">
 			<?php