From f93528ffab19b7a733fc8fb21c22853d8ec0d2f5 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 7 Feb 2010 15:37:32 -0800
Subject: Last partial fix for ticket 585: Compartmentalize the admin area and
 require active authentication every 20 minutes to access the admin area.

Also renaming auth::validate_too_many_failed_password_changes to validate_too_many_failed_auth_attempts since it's used in this generalized way in 3 places now.
---
 modules/gallery/controllers/reauthenticate.php | 72 ++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 modules/gallery/controllers/reauthenticate.php

(limited to 'modules/gallery/controllers/reauthenticate.php')

diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
new file mode 100644
index 00000000..4b88a9cc
--- /dev/null
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -0,0 +1,72 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Reauthenticate_Controller extends Controller {
+  public function index($share_translations_form=null) {
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
+    return self::_show_form(self::_form());
+  }
+
+  public function auth() {
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
+    access::verify_csrf();
+
+    $form = self::_form();
+    $valid = $form->validate();
+    $user = identity::active_user();
+    if ($valid) {
+      message::success(t("Successfully re-authenticated!"));
+      module::event("user_auth", $user);
+      url::redirect("admin");
+    } else {
+      $name = $user->name;
+      log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
+      module::event("user_auth_failed", $name);
+      return self::_show_form($form);
+    }
+  }
+
+  private static function _show_form($form) {
+    $view = new Theme_View("page.html", "other", "reauthenticate");
+    $view->page_title = t("Re-authenticate");
+    $view->content = new View("reauthenticate.html");
+    $view->content->form = $form;
+    $view->content->user_name = identity::active_user()->name;
+    print $view;
+  }
+
+  private static function _form() {
+    $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form"));
+    $form->set_attr('class', "g-narrow");
+    $group = $form->group("reauthenticate")->label(t("Re-authenticate"));
+    $group->password("password")->label(t("Password"))->id("g-password")->class(null)
+      ->callback("auth::validate_too_many_failed_auth_attempts")
+      ->callback("user::valid_password")
+      ->error_messages("invalid", t("Incorrect password"))
+      ->error_messages(
+        "too_many_failed_auth_attempts",
+        t("Too many incorrect passwords.  Try again later"));
+    $group->submit("")->value(t("Submit"));
+    return $form;
+  }
+}
-- 
cgit v1.2.3


From f9d00aa7429599f46e09b23e8313932ac5e186c3 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Mon, 8 Feb 2010 00:30:36 -0800
Subject: Fix for ticket 1008: Redirect to destination after re-auth.

---
 modules/gallery/controllers/admin.php          | 12 +++++++++++-
 modules/gallery/controllers/reauthenticate.php |  3 ++-
 2 files changed, 13 insertions(+), 2 deletions(-)

(limited to 'modules/gallery/controllers/reauthenticate.php')

diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php
index b5f3db39..5467e88a 100644
--- a/modules/gallery/controllers/admin.php
+++ b/modules/gallery/controllers/admin.php
@@ -30,7 +30,7 @@ class Admin_Controller extends Controller {
 
   public function __call($controller_name, $args) {
     if (auth::must_reauth_for_admin_area()) {
-      return url::redirect("reauthenticate");
+      return self::_prompt_for_reauth($controller_name, $args);
     }
 
     if (request::method() == "post") {
@@ -53,5 +53,15 @@ class Admin_Controller extends Controller {
 
     call_user_func_array(array(new $controller_name, $method), $args);
   }
+
+  private static function _prompt_for_reauth($controller_name, $args) {
+    if (request::method() == "get" && !request::is_ajax()) {
+      $url_args = array("admin", $controller_name) + $args;
+      $continue_url = join("/", $url_args);
+      // Avoid anti-phishing protection by passing the url as session variable.
+      Session::instance()->set("continue_url", $continue_url);
+    }
+    url::redirect("reauthenticate");
+  }
 }
 
diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
index 4b88a9cc..dbd1cd21 100644
--- a/modules/gallery/controllers/reauthenticate.php
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -37,7 +37,8 @@ class Reauthenticate_Controller extends Controller {
     if ($valid) {
       message::success(t("Successfully re-authenticated!"));
       module::event("user_auth", $user);
-      url::redirect("admin");
+      $continue_url = Session::instance()->get_once("continue_url", "admin");
+      url::redirect($continue_url);
     } else {
       $name = $user->name;
       log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
-- 
cgit v1.2.3