SSO and Admin Login
|
karimg
Joined: 2012-05-18
Posts: 6 |
Posted: Fri, 2012-05-18 14:37
|
|
Hi, we wanted to merge the gallery3 login-script with our htaccess-login so the user don't have to login two times.. that worked well for the user accounts but when I tried to log in as admin it told me to reauthenticate because my administration session is expired. Thanks to the SSO-plugin that did not work so I decided to re-write the reauthentication-procedure. I added the following lines to create the session manually: Quote:
file: /modules/gallery/controllers/reauthenticate.php That's not the best solution but it works for now. If anyone got a better and safer idea, please let me know. Regards, Karim |
|
Posts: 25968
I'm no security expert..
Doesn't that give the whoever is logged in to be a admin_user?
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 6
Yeah that pretty much describes our problem.. It's a big security hole they should fix.. sure we could add an if-statement to check if the user is administrator, but that's not secure at all..
Is there anyone who could fix the admin-bug in the SSO-plugin?
Karim
Posts: 25968
No docs for the module and only 2 files:
https://github.com/gallery/gallery3-contrib/tree/master/3.0/modules/sso
so I guess your on your own.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 6
Damn.. are there any alternative htaccess-authentifications or do we have to live with that unsecure solution?
Karim
Posts: 613
I would be willing to guess you could add these lines in to the sso_event.php wrapped around with an if admin
untested, but you could try:
right after the
try {if($sso_username == "admin"){ auth::login(IdentityProvider::instance()->admin_user()); header("location: index.php/admin"); }Posts: 6
Yeah but that's hard-coded.. so it only takes the user "admin" as admin.. I want to give all users from the admin-group defined in the gallery admin permissions..
Posts: 613
ah, I see... let me think about that for a moment then. Should be simple enough if the code I shared above worked... can you confirm that?
Posts: 613
okay, after the:
try { identity::set_active_user(identity::lookup_user_by_name($sso_username));add the following instead of what I previously suggested in the post above:
if(identity::active_user()->admin){ auth::login(IdentityProvider::instance()->admin_user()); header("location: index.php/admin"); }Posts: 6
Yeah that works but it somehow still messes up the permissions.. it denies all actions I want to do like uploading images or creating a new gallery. When I'm manually setting the permissions to true, it creates new pictures and gallerys but the user is always "Guest User"
Posts: 613
I'm guessing the session is not being set for the admin user as it would be through the authentication mechanism. I'm not sure how to proceed unfortunately.
Posts: 6
Looks like it doesn't set a user session at all.. I tried to set it manually on login but that did not work..
Posts: 225
Maybe try
Session::instance()->regenerate();Right after the auth::login, but before the header. I would also recommend switching to:
url::redirect("index.php/admin")EDIT: Ok, I think this should get the code displaying correctly...
----
Publish on Gallery 3 (WLPG Plugin) | XMP Module