<?php/** * Magento * * NOTICE OF LICENSE * * This source file is subject t

1. <?php
2. /**
3. * Magento
4. *
5. * NOTICE OF LICENSE
6. *
7. * This source file is subject to the Open Software License (OSL 3.0)
8. * that is bundled with this package in the file LICENSE.txt.
9. * It is also available through the world-wide-web at this URL:
10. * http://opensource.org/licenses/osl-3.0.php
11. * If you did not receive a copy of the license and are unable to
12. * obtain it through the world-wide-web, please send an email
13. * to license@magento.com so we can send you a copy immediately.
14. *
15. * DISCLAIMER
16. *
17. * Do not edit or add to this file if you wish to upgrade Magento to newer
18. * versions in the future. If you wish to customize Magento for your
19. * needs please refer to http://www.magento.com for more information.
20. *
21. * @category Mage
22. * @package Mage_Admin
23. * @copyright Copyright (c) 2006-2014 X.commerce, Inc. (http://www.magento.com)
24. * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
25. */
26.  
27. /**
28. * Admin observer model
29. *
30. * @category Mage
31. * @package Mage_Admin
32. * @author Magento Core Team <core@magentocommerce.com>
33. */
34. class Mage_Admin_Model_Observer
35. {
36. const FLAG_NO_LOGIN = 'no-login';
37. /**
38. * Handler for controller_action_predispatch event
39. *
40. * @param Varien_Event_Observer $observer
41. * @return boolean
42. */
43. public function actionPreDispatchAdmin($observer)
44. {
45. $session = Mage::getSingleton('admin/session');
46. /** @var $session Mage_Admin_Model_Session */
47. $request = Mage::app()->getRequest();
48. $user = $session->getUser();
49.  
50. $requestedActionName = $request->getActionName();
51. $openActions = array(
52. 'forgotpassword',
53. 'resetpassword',
54. 'resetpasswordpost',
55. 'logout',
56. 'refresh' // captcha refresh
57. );
58. if (in_array($requestedActionName, $openActions)) {
59. $request->setDispatched(true);
60. } else {
61. if($user) {
62. $user->reload();
63. }
64. if (!$user || !$user->getId()) {
65. if ($request->getPost('login')) {
66. $postLogin = $request->getPost('login');
67. $username = isset($postLogin['username']) ? $postLogin['username'] : '';
68. $password = isset($postLogin['password']) ? $postLogin['password'] : '';
69. $session->login($username, $password, $request);
70. $request->setPost('login', null);
71. }
72. if (!$request->getParam('forwarded')) {
73. if ($request->getParam('isIframe')) {
74. $request->setParam('forwarded', true)
75. ->setControllerName('index')
76. ->setActionName('deniedIframe')
77. ->setDispatched(false);
78. } elseif($request->getParam('isAjax')) {
79. $request->setParam('forwarded', true)
80. ->setControllerName('index')
81. ->setActionName('deniedJson')
82. ->setDispatched(false);
83. } else {
84. $request->setParam('forwarded', true)
85. ->setRouteName('adminhtml')
86. ->setControllerName('index')
87. ->setActionName('login')
88. ->setDispatched(false);
89. }
90. return false;
91. }
92. }
93. }
94.  
95. $session->refreshAcl();
96. }
97.  
98. /**
99. * Unset session first visit flag after displaying page
100. *
101. * @deprecated after 1.4.0.1, logic moved to admin session
102. * @param Varien_Event_Observer $event
103. */
104. public function actionPostDispatchAdmin($event)
105. {
106. }
107. }
108.  
109. __PATCHFILE_FOLLOWS__
110. diff --git app/code/core/Mage/Admin/Model/Observer.php app/code/core/Mage/Admin/Model/Observer.php
111. index 9c04324..9d39424 100644
112. --- app/code/core/Mage/Admin/Model/Observer.php
113. +++ app/code/core/Mage/Admin/Model/Observer.php
114. @@ -34,6 +34,7 @@
115. class Mage_Admin_Model_Observer
116. {
117. const FLAG_NO_LOGIN = 'no-login';
118. +
119. /**
120. * Handler for controller_action_predispatch event
121. *
122. @@ -42,16 +43,14 @@ class Mage_Admin_Model_Observer
123. */
124. public function actionPreDispatchAdmin($observer)
125. {
126. - $session = Mage::getSingleton('admin/session');
127. /** @var $session Mage_Admin_Model_Session */
128. + $session = Mage::getSingleton('admin/session');
129.  
130. - /**
131. - * @var $request Mage_Core_Controller_Request_Http
132. - */
133. + /** @var $request Mage_Core_Controller_Request_Http */
134. $request = Mage::app()->getRequest();
135. $user = $session->getUser();
136.  
137. - $requestedActionName = $request->getActionName();
138. + $requestedActionName = strtolower($request->getActionName());
139. $openActions = array(
140. 'forgotpassword',
141. 'resetpassword',
142. @@ -67,11 +66,26 @@ class Mage_Admin_Model_Observer
143. }
144. if (!$user || !$user->getId()) {
145. if ($request->getPost('login')) {
146. - $postLogin = $request->getPost('login');
147. - $username = isset($postLogin['username']) ? $postLogin['username'] : '';
148. - $password = isset($postLogin['password']) ? $postLogin['password'] : '';
149. - $session->login($username, $password, $request);
150. - $request->setPost('login', null);
151. +
152. + /** @var Mage_Core_Model_Session $coreSession */
153. + $coreSession = Mage::getSingleton('core/session');
154. +
155. + if ($coreSession->validateFormKey($request->getPost("form_key"))) {
156. + $postLogin = $request->getPost('login');
157. + $username = isset($postLogin['username']) ? $postLogin['username'] : '';
158. + $password = isset($postLogin['password']) ? $postLogin['password'] : '';
159. + $session->login($username, $password, $request);
160. + $request->setPost('login', null);
161. + } else {
162. + if ($request && !$request->getParam('messageSent')) {
163. + Mage::getSingleton('adminhtml/session')->addError(
164. + Mage::helper('adminhtml')->__('Invalid Form Key. Please refresh the page.')
165. + );
166. + $request->setParam('messageSent', true);
167. + }
168. + }
169. +
170. + $coreSession->renewFormKey();
171. }
172. if (!$request->getInternallyForwarded()) {
173. $request->setInternallyForwarded();