From: ArthurHoaro <arthur@hoa.ro>
Date: Sat, 9 Feb 2019 11:36:31 +0000 (+0100)
Subject: Merge pull request #1182 from ArthurHoaro/feature/session-protection-stay-login
X-Git-Tag: v0.11.0~36
X-Git-Url: https://git.immae.eu/?p=github%2Fshaarli%2FShaarli.git;a=commitdiff_plain;h=905f8675a728841b03b300d2c7dc909a1c4f7f03;hp=7417e8ac4a4cf742ace1679c046425bb3f2bac2c

Merge pull request #1182 from ArthurHoaro/feature/session-protection-stay-login

Do not check the IP address with session protection disabled
---

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 0f315483..1ff3d0be 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -58,6 +58,9 @@ class LoginManager
      */
     public function generateStaySignedInToken($clientIpAddress)
     {
+        if ($this->configManager->get('security.session_protection_disabled') === true) {
+            $clientIpAddress = '';
+        }
         $this->staySignedInToken = sha1(
             $this->configManager->get('credentials.hash')
             . $clientIpAddress
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php
index de8055ed..7b0262b3 100644
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@ -260,6 +260,20 @@ class LoginManagerTest extends TestCase
         );
     }
 
+    /**
+     * Generate a token depending on the user credentials with session protected disabled
+     */
+    public function testGenerateStaySignedInTokenSessionProtectionDisabled()
+    {
+        $this->configManager->set('security.session_protection_disabled', true);
+        $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
+
+        $this->assertEquals(
+            sha1($this->passwordHash . $this->salt),
+            $this->loginManager->getStaySignedInToken()
+        );
+    }
+
     /**
      * Check user login - Shaarli has not yet been configured
      */