Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues 1 Packages Projects Releases Wiki Activity

web: Added token authentication to form. 

Adds token authentication to user_agreetotermsofuse_action, in order to prevent unauthorized use.
This commit is contained in:
Shawn Kwang 2018-12-04 11:56:49 -06:00
parent 8901d49c16
commit cb3683515d
3 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
html/inc/consent.inc
View File

@ -72,6 +72,8 @@ function intercept_login($user, $perm, $in_next_url = "") {
$config = get_config();
if ( parse_bool($config, "enable_login_mustagree_termsofuse") and $checkct and check_termsofuse() and (!check_user_consent($user, CONSENT_TYPE_ENROLL))) {
// sent user to terms-of-use Web form after login
$mytoken = create_token($user->id, TOKEN_TYPE_LOGIN_INTERCEPT, TOKEN_DURATION_TWO_HOURS);
send_cookie('logintoken', $mytoken, false);
send_cookie('tempuserid', $user->id, false);
send_cookie('tempperm', $perm, false);
$save_url = $in_next_url;

2
html/inc/token.inc
View File

@ -22,8 +22,10 @@ require_once("../inc/util.inc");
// Constants for valid token types
define("TOKEN_TYPE_DELETE_ACCOUNT", "D");
define("TOKEN_TYPE_CHANGE_EMAIL", "E");
define("TOKEN_TYPE_LOGIN_INTERCEPT", "L");
// Constants for token durations
define("TOKEN_DURATION_TWO_HOURS", 7200);
define("TOKEN_DURATION_ONE_DAY", 86400);
define("TOKEN_DURATION_ONE_WEEK", 604800);

20
html/user/user_agreetermsofuse_action.php
View File

@ -24,6 +24,10 @@ require_once("../inc/util.inc");
require_once("../inc/user.inc");
require_once("../inc/consent.inc");
if (empty($_POST)) {
error_page(tra("Website error when attempting to agree to terms of use. Please contact the site administrators."));
}
// Get the next url from POST
$next_url = post_str("next_url", true);
$next_url = urldecode($next_url);
@ -39,6 +43,11 @@ if (!$agree) {
}
// Obtain data from cookies
if (isset($_COOKIE['logintoken'])) {
$logintoken = $_COOKIE['logintoken'];
} else {
error_page(tra("Website error when attempting to agree to terms of use."));
}
if (isset($_COOKIE['tempuserid'])) {
$userid = $_COOKIE['tempuserid'];
}
@ -51,6 +60,16 @@ if (isset($_COOKIE['tempperm'])) {
else {
error_page(tra("Website error when attempting to agree to terms of use. Please contact the site administrators."));
}
// Verify login token to authenticate the account.
// Delete the token immediately afterwards to prevent any abuse or
// misuse of the token.
if (!is_valid_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT)) {
delete_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT);
error_page(tra("Authentication error attempting to agree to terms of use."));
}
delete_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT);
$user = BoincUser::lookup_id_nocache($userid);
$authenticator = $user->authenticator;
@ -68,6 +87,7 @@ if ($checkct) {
// Log-in user
send_cookie('auth', $authenticator, $perm);
clear_cookie('logintoken');
clear_cookie('tempuserid');
clear_cookie('tempperm');