From 68434e6dbc1b87f2bacb246b463d86ebc157473f Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 2 Apr 2019 15:12:52 +0200 Subject: [ticket/16007] Show ban message for OAuth login PHPBB3-16007 --- phpBB/includes/functions_user.php | 4 ++-- phpBB/phpbb/auth/provider/oauth/oauth.php | 31 ++++++++++++++++++++++++++++--- phpBB/phpbb/session.php | 4 +++- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 5f2dea3b94..5307623c8e 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1930,9 +1930,9 @@ function validate_user_email($email, $allowed_email = false) return $validate_email; } - if (($ban_reason = $user->check_ban(false, false, $email, true)) !== false) + if (($ban = $user->check_ban(false, false, $email, true)) !== false) { - return ($ban_reason === true) ? 'EMAIL_BANNED' : $ban_reason; + return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; } if (!$config['allow_emailreuse']) diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 8809a0c6b4..28fa7a6be4 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -191,7 +191,7 @@ class oauth extends \phpbb\auth\provider\base return $provider->login($username, $password); } - // Requst the name of the OAuth service + // Request the name of the OAuth service $service_name_original = $this->request->variable('oauth_service', '', false); $service_name = 'auth.provider.oauth.service.' . strtolower($service_name_original); if ($service_name_original === '' || !array_key_exists($service_name, $this->service_providers)) @@ -270,11 +270,36 @@ class oauth extends \phpbb\auth\provider\base throw new \Exception('AUTH_PROVIDER_OAUTH_ERROR_INVALID_ENTRY'); } + /** + * Check if the user is banned. + * The fourth parameter, return, has to be true, + * otherwise the OAuth login is still called and + * an uncaught exception is thrown as there is no + * token stored in the database. + */ + $ban = $this->user->check_ban($row['user_id'], $row['user_ip'], $row['user_email'], true); + if ($ban !== false) + { + $till_date = !empty($ban['ban_end']) ? $this->user->format_date($ban['ban_end']) : ''; + $message = !empty($ban['ban_end']) ? 'BOARD_BAN_TIME' : 'BOARD_BAN_PERM'; + + $contact_link = phpbb_get_board_contact_link($this->config, $this->phpbb_root_path, $this->php_ext); + $message = $this->user->lang($message, $till_date, '', ''); + $message .= !empty($ban['ban_give_reason']) ? '

' . $this->user->lang('BOARD_BAN_REASON', $ban['ban_give_reason']) : ''; + $message .= !empty($ban['ban_triggered_by']) ? '

' . $this->user->lang('BAN_TRIGGERED_BY_' . strtoupper($ban['ban_triggered_by'])) . '' : ''; + + return array( + 'status' => LOGIN_BREAK, + 'error_msg' => $message, + 'user_row' => $row, + ); + } + // Update token storage to store the user_id $storage->set_user_id($row['user_id']); /** - * Event is triggered after user is successfuly logged in via OAuth. + * Event is triggered after user is successfully logged in via OAuth. * * @event core.auth_oauth_login_after * @var array row User row @@ -707,7 +732,7 @@ class oauth extends \phpbb\auth\provider\base AND user_id = " . (int) $user_id; $this->db->sql_query($sql); - // Clear all tokens belonging to the user on this servce + // Clear all tokens belonging to the user on this service $service_name = 'auth.provider.oauth.service.' . strtolower($link_data['oauth_service']); $storage = new \phpbb\auth\provider\oauth\token_storage($this->db, $this->user, $this->auth_provider_oauth_token_storage_table, $this->auth_provider_oauth_state_table); $storage->clearToken($service_name); diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 80934dc411..1da00ac1af 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1234,6 +1234,8 @@ class session $vars = array('return', 'banned', 'ban_row', 'ban_triggered_by'); extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars))); + $ban_row['ban_triggered_by'] = $ban_triggered_by; + if ($banned && !$return) { global $phpbb_root_path, $phpEx; @@ -1299,7 +1301,7 @@ class session trigger_error($message); } - return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned; + return ($banned && $ban_row) ? $ban_row : $banned; } /** -- cgit v1.2.1 From fc625387332c50bc92253a1822ad0607594af736 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 2 Apr 2019 17:25:00 +0200 Subject: [ticket/16007] No strict comparison against "false" PHPBB3-16007 --- phpBB/includes/functions_user.php | 2 +- phpBB/phpbb/auth/provider/oauth/oauth.php | 2 +- phpBB/phpbb/session.php | 7 +++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 5307623c8e..2cb50a5a34 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1932,7 +1932,7 @@ function validate_user_email($email, $allowed_email = false) if (($ban = $user->check_ban(false, false, $email, true)) !== false) { - return !empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : 'EMAIL_BANNED'; + return ($ban === true) ? 'EMAIL_BANNED' : (!empty($ban['ban_give_reason']) ? $ban['ban_give_reason'] : $ban); } if (!$config['allow_emailreuse']) diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 28fa7a6be4..f3dfd07ae8 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -278,7 +278,7 @@ class oauth extends \phpbb\auth\provider\base * token stored in the database. */ $ban = $this->user->check_ban($row['user_id'], $row['user_ip'], $row['user_email'], true); - if ($ban !== false) + if (!empty($ban)) { $till_date = !empty($ban['ban_end']) ? $this->user->format_date($ban['ban_end']) : ''; $message = !empty($ban['ban_end']) ? 'BOARD_BAN_TIME' : 'BOARD_BAN_PERM'; diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index 1da00ac1af..31f32af7c4 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1234,8 +1234,6 @@ class session $vars = array('return', 'banned', 'ban_row', 'ban_triggered_by'); extract($phpbb_dispatcher->trigger_event('core.session_set_custom_ban', compact($vars))); - $ban_row['ban_triggered_by'] = $ban_triggered_by; - if ($banned && !$return) { global $phpbb_root_path, $phpEx; @@ -1301,6 +1299,11 @@ class session trigger_error($message); } + if (!empty($ban_row)) + { + $ban_row['ban_triggered_by'] = $ban_triggered_by; + } + return ($banned && $ban_row) ? $ban_row : $banned; } -- cgit v1.2.1 From 562601fd9bb7ec7ba9dff9132840ed9b231a7f72 Mon Sep 17 00:00:00 2001 From: mrgoldy Date: Tue, 2 Apr 2019 18:01:59 +0200 Subject: [ticket/16007] Correct check_ban_test to boolean PHPBB3-16007 --- tests/session/check_ban_test.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/session/check_ban_test.php b/tests/session/check_ban_test.php index 04da5f08b9..16a65b0ade 100644 --- a/tests/session/check_ban_test.php +++ b/tests/session/check_ban_test.php @@ -72,7 +72,8 @@ class phpbb_session_check_ban_test extends phpbb_session_test_case { try { - $is_banned = $this->session->check_ban($user_id, $user_ips, $user_email, $return); + $ban = $this->session->check_ban($user_id, $user_ips, $user_email, $return); + $is_banned = !empty($ban); } catch (PHPUnit_Framework_Error_Notice $e) { -- cgit v1.2.1