Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * Magento
- *
- * NOTICE OF LICENSE
- *
- * This source file is subject to the Open Software License (OSL 3.0)
- * that is bundled with this package in the file LICENSE.txt.
- * It is also available through the world-wide-web at this URL:
- * http://opensource.org/licenses/osl-3.0.php
- * If you did not receive a copy of the license and are unable to
- * obtain it through the world-wide-web, please send an email
- * to license@magento.com so we can send you a copy immediately.
- *
- * DISCLAIMER
- *
- * Do not edit or add to this file if you wish to upgrade Magento to newer
- * versions in the future. If you wish to customize Magento for your
- * needs please refer to http://www.magento.com for more information.
- *
- * @category Mage
- * @package Mage_Admin
- * @copyright Copyright (c) 2006-2014 X.commerce, Inc. (http://www.magento.com)
- * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
- */
- /**
- * Admin observer model
- *
- * @category Mage
- * @package Mage_Admin
- * @author Magento Core Team <core@magentocommerce.com>
- */
- class Mage_Admin_Model_Observer
- {
- const FLAG_NO_LOGIN = 'no-login';
- /**
- * Handler for controller_action_predispatch event
- *
- * @param Varien_Event_Observer $observer
- * @return boolean
- */
- public function actionPreDispatchAdmin($observer)
- {
- $session = Mage::getSingleton('admin/session');
- /** @var $session Mage_Admin_Model_Session */
- $request = Mage::app()->getRequest();
- $user = $session->getUser();
- $requestedActionName = $request->getActionName();
- $openActions = array(
- 'forgotpassword',
- 'resetpassword',
- 'resetpasswordpost',
- 'logout',
- 'refresh' // captcha refresh
- );
- if (in_array($requestedActionName, $openActions)) {
- $request->setDispatched(true);
- } else {
- if($user) {
- $user->reload();
- }
- if (!$user || !$user->getId()) {
- if ($request->getPost('login')) {
- $postLogin = $request->getPost('login');
- $username = isset($postLogin['username']) ? $postLogin['username'] : '';
- $password = isset($postLogin['password']) ? $postLogin['password'] : '';
- $session->login($username, $password, $request);
- $request->setPost('login', null);
- }
- if (!$request->getParam('forwarded')) {
- if ($request->getParam('isIframe')) {
- $request->setParam('forwarded', true)
- ->setControllerName('index')
- ->setActionName('deniedIframe')
- ->setDispatched(false);
- } elseif($request->getParam('isAjax')) {
- $request->setParam('forwarded', true)
- ->setControllerName('index')
- ->setActionName('deniedJson')
- ->setDispatched(false);
- } else {
- $request->setParam('forwarded', true)
- ->setRouteName('adminhtml')
- ->setControllerName('index')
- ->setActionName('login')
- ->setDispatched(false);
- }
- return false;
- }
- }
- }
- $session->refreshAcl();
- }
- /**
- * Unset session first visit flag after displaying page
- *
- * @deprecated after 1.4.0.1, logic moved to admin session
- * @param Varien_Event_Observer $event
- */
- public function actionPostDispatchAdmin($event)
- {
- }
- }
- __PATCHFILE_FOLLOWS__
- diff --git app/code/core/Mage/Admin/Model/Observer.php app/code/core/Mage/Admin/Model/Observer.php
- index 9c04324..9d39424 100644
- --- app/code/core/Mage/Admin/Model/Observer.php
- +++ app/code/core/Mage/Admin/Model/Observer.php
- @@ -34,6 +34,7 @@
- class Mage_Admin_Model_Observer
- {
- const FLAG_NO_LOGIN = 'no-login';
- +
- /**
- * Handler for controller_action_predispatch event
- *
- @@ -42,16 +43,14 @@ class Mage_Admin_Model_Observer
- */
- public function actionPreDispatchAdmin($observer)
- {
- - $session = Mage::getSingleton('admin/session');
- /** @var $session Mage_Admin_Model_Session */
- + $session = Mage::getSingleton('admin/session');
- - /**
- - * @var $request Mage_Core_Controller_Request_Http
- - */
- + /** @var $request Mage_Core_Controller_Request_Http */
- $request = Mage::app()->getRequest();
- $user = $session->getUser();
- - $requestedActionName = $request->getActionName();
- + $requestedActionName = strtolower($request->getActionName());
- $openActions = array(
- 'forgotpassword',
- 'resetpassword',
- @@ -67,11 +66,26 @@ class Mage_Admin_Model_Observer
- }
- if (!$user || !$user->getId()) {
- if ($request->getPost('login')) {
- - $postLogin = $request->getPost('login');
- - $username = isset($postLogin['username']) ? $postLogin['username'] : '';
- - $password = isset($postLogin['password']) ? $postLogin['password'] : '';
- - $session->login($username, $password, $request);
- - $request->setPost('login', null);
- +
- + /** @var Mage_Core_Model_Session $coreSession */
- + $coreSession = Mage::getSingleton('core/session');
- +
- + if ($coreSession->validateFormKey($request->getPost("form_key"))) {
- + $postLogin = $request->getPost('login');
- + $username = isset($postLogin['username']) ? $postLogin['username'] : '';
- + $password = isset($postLogin['password']) ? $postLogin['password'] : '';
- + $session->login($username, $password, $request);
- + $request->setPost('login', null);
- + } else {
- + if ($request && !$request->getParam('messageSent')) {
- + Mage::getSingleton('adminhtml/session')->addError(
- + Mage::helper('adminhtml')->__('Invalid Form Key. Please refresh the page.')
- + );
- + $request->setParam('messageSent', true);
- + }
- + }
- +
- + $coreSession->renewFormKey();
- }
- if (!$request->getInternallyForwarded()) {
- $request->setInternallyForwarded();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement