From: ArthurHoaro <arthur@hoa.ro>
Date: Sat, 9 Feb 2019 11:36:31 +0000 (+0100)
Subject: Merge pull request #1182 from ArthurHoaro/feature/session-protection-stay-login
X-Git-Tag: v0.11.0~36
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=905f8675a728841b03b300d2c7dc909a1c4f7f03;hp=-c;p=github%2Fshaarli%2FShaarli.git

Merge pull request #1182 from ArthurHoaro/feature/session-protection-stay-login

Do not check the IP address with session protection disabled
---

905f8675a728841b03b300d2c7dc909a1c4f7f03
diff --combined application/security/LoginManager.php
index 0f315483,5a58926d..1ff3d0be
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@@ -58,6 -58,9 +58,9 @@@ class LoginManage
       */
      public function generateStaySignedInToken($clientIpAddress)
      {
+         if ($this->configManager->get('security.session_protection_disabled') === true) {
+             $clientIpAddress = '';
+         }
          $this->staySignedInToken = sha1(
              $this->configManager->get('credentials.hash')
              . $clientIpAddress
@@@ -95,6 -98,7 +98,6 @@@
              // The user client has a valid stay-signed-in cookie
              // Session information is updated with the current client information
              $this->sessionManager->storeLoginInfo($clientIpId);
 -
          } elseif ($this->sessionManager->hasSessionExpired()
              || $this->sessionManager->hasClientIpChanged($clientIpId)
          ) {
diff --combined tests/security/LoginManagerTest.php
index de8055ed,b9ab5ec4..7b0262b3
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@@ -2,8 -2,7 +2,8 @@@
  namespace Shaarli\Security;
  
  require_once 'tests/utils/FakeConfigManager.php';
 -use \PHPUnit\Framework\TestCase;
 +
 +use PHPUnit\Framework\TestCase;
  
  /**
   * Test coverage for LoginManager
@@@ -260,6 -259,20 +260,20 @@@ class LoginManagerTest extends TestCas
          );
      }
  
+     /**
+      * Generate a token depending on the user credentials with session protected disabled
+      */
+     public function testGenerateStaySignedInTokenSessionProtectionDisabled()
+     {
+         $this->configManager->set('security.session_protection_disabled', true);
+         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
+ 
+         $this->assertEquals(
+             sha1($this->passwordHash . $this->salt),
+             $this->loginManager->getStaySignedInToken()
+         );
+     }
+ 
      /**
       * Check user login - Shaarli has not yet been configured
       */