CSRF protection for subscription/unsubscription

[quix0rs-gnu-social.git] / actions / login.php
diff --git a/actions/login.php b/actions/login.php

index 400957e05b1c5fa2185f06ddb8f70775a4a2e37c..aa25a0cec5fb3a179524100c5a0af15dd25290a2 100644 (file)
--- a/actions/login.php
+++ b/actions/login.php
@@ -21,6 +21,10 @@ if (!defined('LACONICA')) { exit(1); }
  
  class LoginAction extends Action {
  
+       function is_readonly() {
+               return true;
+       }
+
         function handle($args) {
                 parent::handle($args);
                 if (common_is_real_login()) {
@@ -31,7 +35,7 @@ class LoginAction extends Action {
                         $this->show_form();
                 }
         }
-       
+
         function check_login() {
                 # XXX: form token in $_SESSION to prevent XSS
                 # XXX: login throttle
@@ -40,7 +44,7 @@ class LoginAction extends Action {
                 if (common_check_user($nickname, $password)) {
                         # success!
                         if (!common_set_user($nickname)) {
-                               common_server_error(_t('Error setting user.'));
+                               common_server_error(_('Error setting user.'));
                                 return;
                         }
                         common_real_login(true);
@@ -60,11 +64,18 @@ class LoginAction extends Action {
                         }
                         common_redirect($url);
                 } else {
-                       $this->show_form(_t('Incorrect username or password.'));
+                       $this->show_form(_('Incorrect username or password.'));
+                       return;
+               }
+
+               # success!
+               if (!common_set_user($user)) {
+                       common_server_error(_('Error setting user.'));
+                       return;
                 }
-               
+
                 common_real_login(true);
-               
+
                 if ($this->boolean('rememberme')) {
                         common_debug('Adding rememberme cookie for ' . $nickname);
                         common_rememberme($user);
@@ -102,10 +113,21 @@ class LoginAction extends Action {
         }
  
         function get_instructions() {
-               return _t('Login with your username and password. ' .
-                                 'Don\'t have a username yet? ' .
-                                 '[Register](%%action.register%%) a new account, or ' .
-                                 'try [OpenID](%%action.openidlogin%%). ');
+               if (common_logged_in() &&
+                       !common_is_real_login() &&
+                       common_get_returnto())
+               {
+                       # rememberme logins have to reauthenticate before
+                       # changing any profile settings (cookie-stealing protection)
+                       return _('For security reasons, please re-enter your ' .
+                                        'user name and password ' .
+                                        'before changing your settings.');
+               } else {
+                       return _('Login with your username and password. ' .
+                                        'Don\'t have a username yet? ' .
+                                        '[Register](%%action.register%%) a new account, or ' .
+                                        'try [OpenID](%%action.openidlogin%%). ');
+               }
         }
  
         function show_top($error=NULL) {
@@ -120,4 +142,3 @@ class LoginAction extends Action {
                 }
         }
  }
-#
-\ No newline at end of file