From 6f2e8788ca7cc8edb677b8596f39c90c3f13be77 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 16 Oct 2012 01:02:03 +0200
Subject: [PATCH] Make enhanced auth time configurable

---
 config/config.sample.php | 3 +++
 lib/json.php             | 3 +--
 lib/setup.php            | 3 +++
 lib/util.php             | 7 +++----
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/config/config.sample.php b/config/config.sample.php
index 09eb6053c2..762633c783 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -30,6 +30,9 @@ $CONFIG = array(
 /* Force use of HTTPS connection (true = use HTTPS) */
 "forcessl" => false,
 
+/* Time in seconds how long an user is authenticated without entering his password again before performing sensitive actions like creating or deleting users etc...*/
+"enhancedauthtime" => 15 * 60,
+
 /* Theme to use for ownCloud */
 "theme" => "",
 
diff --git a/lib/json.php b/lib/json.php
index 3e55f61843..b828f35f34 100644
--- a/lib/json.php
+++ b/lib/json.php
@@ -80,10 +80,9 @@ class OC_JSON{
 	}
 
 	/**
-	* Check if the user verified the login with his password in the last 15 minutes
+	* Check if the user verified the login with his password
 	*/
 	public static function verifyUser() {
-		// Check if the user verified his password in the last 15 minutes
 		if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
 			$l = OC_L10N::get('lib');
 			self::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
diff --git a/lib/setup.php b/lib/setup.php
index 716b0ef063..2ac91482e5 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -391,6 +391,9 @@ class OC_Setup {
 					self::createHtaccess();
 				}
 
+				// Set the admin auth time
+				OC_Config::setValue('enhancedauthtime', 15 * 60);
+
 				//and we are done
 				OC_Config::setValue('installed', true);
 			}
diff --git a/lib/util.php b/lib/util.php
index ba2a02922a..58d784057a 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -394,11 +394,11 @@ class OC_Util {
 		// Check password to set session
 		if(isset($_POST['password'])) {
 			if (OC_User::login(OC_User::getUser(), $_POST["password"] ) === true) {
-				$_SESSION['verifiedLogin']=time() + (15 * 60);
+				$_SESSION['verifiedLogin']=time() + OC_Config::getValue('enhancedauthtime');
 			}
 		}
 
-		// Check if the user verified his password in the last 15 minutes
+		// Check if the user verified his password
 		if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
 			OC_Template::printGuestPage("", "verify",  array('username' => OC_User::getUser()));
 			exit();
@@ -406,11 +406,10 @@ class OC_Util {
 	}
 
 	/**
-	* Check if the user verified the login with his password in the last 15 minutes
+	* Check if the user verified the login with his password
 	* @return bool
 	*/
 	public static function isUserVerified() {
-		// Check if the user verified his password in the last 15 minutes
 		if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
 			return false;
 		}