[mapguide-trac] #821: server admin PHP pages can be brought up without logging in

MapGuide Open Source trac_mapguide at osgeo.org
Wed Jan 14 19:18:36 EST 2009 

#821: server admin PHP pages can be brought up without logging in
----------------------+-----------------------------------------------------
 Reporter:  tonyfang  |         Owner:  tonyfang
     Type:  defect    |        Status:  closed  
 Priority:  medium    |     Milestone:  2.1     
Component:  General   |       Version:  2.0.1   
 Severity:  major     |    Resolution:  fixed   
 Keywords:            |   External_id:  1184740 
----------------------+-----------------------------------------------------
Changes (by tonyfang):

  * status:  new => closed
  * resolution:  => fixed

Comment:

 http://trac.osgeo.org/mapguide/changeset/3454

 Fix #821: server admin PHP pages can be brought up without logging in

 The following server admin php pages can be accessed without logging in:
 * addserver.php
 * wmsproperties.php
 * wfsproperties.php
 * about.php

 When one of the server admin php pages is accessed, it calls
 LoadSessionVars to initialize some variables. When the user has not logged
 in correctly yet, $webConfigFile does not exist (on the very first load),
 or $webConfigFile us empty (on all subsequent loads). LoadSessionVars
 would simply return -- and the php would continue to load.

 Most of the server admin php pages contained one of the following calls:
 * $siteServerAddress = $site->GetCurrentSiteAddress();
 * $groups = GetGroups();
 * $users = GetUsers();

 If the user has not logged on, and one of these calls was accessed, a
 fatal error would result -- and thus the php page would not load.

 To correct this, in sessionvars.php LoadSessionVars(), when the
 $webConfigFile does not exist or is empty, we will throw an
 AuthenticationFailedException. In the catch section, we will try to catch
 the AuthenticationFailedException. If we do, we will call
 LogoutWithAuthenticationFailedException. Also we will try to catch
 Exception afterwards (rather than just MgException) so we can catch all
 exceptions.

 The final changes are to resizablepagecomponents.php.

 In LogoutWithFatalException. I added a check for a null $site before
 calling $site->Close(). When the user has not logged in, then $site is
 still null, and a fatal error results when we try to call Close on a null
 $site.

 I also added the function LogoutWithAuthenticationFailedException. It's
 the same as LogoutWithFatalException -- except it displays the
 Authentication Failed message.

 So now, when a user tries to access any of the pages (without logging in
 first), it punts you to the login.php screen -- and there's a message that
 says: "Authentication failed. Please enter a valid username and password."

-- 
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/821#comment:1>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals

More information about the mapguide-trac mailing list