From 6d1e858aa4cf5c35e0396f23144caea68797f42d Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Fri, 7 Oct 2016 16:49:57 +0200 Subject: [PATCH] Fix logClientIn for non-existing users (#26292) The check for two factor enforcement would return true for non-existing users. This fix makes it return false in order to be able to perform the regular login which will then fail and return false. This prevents throwing PasswordLoginForbidden for non-existing users. --- lib/private/User/Session.php | 3 +++ tests/lib/User/SessionTest.php | 26 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 4b56609ccf..a213ee48c2 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -362,6 +362,9 @@ class Session implements IUserSession, Emitter { $user = $this->manager->get($username); if (is_null($user)) { $users = $this->manager->getByEmail($username); + if (empty($users)) { + return false; + } if (count($users) !== 1) { return true; } diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php index 21ac1b655b..614ed3d015 100644 --- a/tests/lib/User/SessionTest.php +++ b/tests/lib/User/SessionTest.php @@ -401,6 +401,32 @@ class SessionTest extends \Test\TestCase { $userSession->logClientIn('john', 'doe', $request, $this->throttler); } + public function testLogClientInUnexist() { + $manager = $this->getMockBuilder('\OC\User\Manager') + ->disableOriginalConstructor() + ->getMock(); + $session = $this->createMock('\OCP\ISession'); + $request = $this->createMock('\OCP\IRequest'); + $user = $this->createMock('\OCP\IUser'); + + /** @var \OC\User\Session $userSession */ + $userSession = $this->getMockBuilder('\OC\User\Session') + ->setConstructorArgs([$manager, $session, $this->timeFactory, $this->tokenProvider, $this->config]) + ->setMethods(['login', 'supportsCookies', 'createSessionToken', 'getUser']) + ->getMock(); + + $this->tokenProvider->expects($this->once()) + ->method('getToken') + ->with('doe') + ->will($this->throwException(new \OC\Authentication\Exceptions\InvalidTokenException())); + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('token_auth_enforced', false) + ->will($this->returnValue(false)); + + $this->assertFalse($userSession->logClientIn('unexist', 'doe', $request)); + } + public function testLogClientInWithTokenPassword() { $manager = $this->getMockBuilder('\OC\User\Manager') ->disableOriginalConstructor()