From be3a44651c47a27907e682a8e4c9e5dd9352a1f6 Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@controlezvous.ca>
Date: Mon, 23 Jun 2008 22:52:34 -0400
Subject: implement rememberme functionality

Added a checkbox on login or register to remember the current user. If
the login is successful, this sets a cookie with a random code (saved
in the DB). If they come back, and they aren't logged in "normally",
we check to see if they have a rememberme cookie. If so, we log them
in.

However, they can't change settings -- cookie theft is too prevalent.
So we mark a session as having a "real" (password or OpenID) login, or
not. In settings pages, we check to see if the login is "real", and if
not, we redirect to the login page.

darcs-hash:20080624025234-34904-ad20001bf35bf41fcb63a0c357fd929aacc55fdb.gz
---
 lib/settingsaction.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'lib/settingsaction.php')

diff --git a/lib/settingsaction.php b/lib/settingsaction.php
index fad6abaf1..2a80c0e31 100644
--- a/lib/settingsaction.php
+++ b/lib/settingsaction.php
@@ -26,6 +26,12 @@ class SettingsAction extends Action {
         if (!common_logged_in()) {
             common_user_error(_t('Not logged in.'));
             return;
+        } else if (!common_is_real_login()) {
+        	# Cookie theft means that automatic logins can't
+        	# change important settings or see private info, and
+        	# _all_ our settings are important
+            common_set_returnto($this->self_url());
+            common_redirect(common_local_url('login'));
         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
             $this->handle_post();
         } else {
@@ -52,8 +58,8 @@ class SettingsAction extends Action {
     function settings_menu() {
         # action => array('prompt', 'title')
         static $menu =
-        array('profilesettings' => 
-              array('Profile', 
+        array('profilesettings' =>
+              array('Profile',
               		'Change your profile settings'),
             'avatar' =>
             array('Avatar',
@@ -62,12 +68,12 @@ class SettingsAction extends Action {
             array('Password',
                   'Change your password'),
             'openidsettings' =>
-            array('OpenID', 
+            array('OpenID',
                   'Add or remove OpenIDs'),
             'imsettings' =>
             array('IM',
                   'Updates by instant messenger (IM)'));
-                       
+
         $action = $this->trimmed('action');
         common_element_start('ul', array('id' => 'nav_views'));
         foreach ($menu as $menuaction => $menudesc) {
-- 
cgit v1.2.3-54-g00ecf