From d9ba1cdd44a7eec9e7f4d429087c6ba838ad473e Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Tue, 17 Jul 2018 14:13:37 +0200
Subject: Do not check the IP address with session protection disabled

This allows the user to stay logged in if his IP changes.

Fixes #1106
---
 tests/security/LoginManagerTest.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'tests/security')

diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php
index f26cd1eb..b9ab5ec4 100644
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@ -259,6 +259,20 @@ class LoginManagerTest extends TestCase
         );
     }
 
+    /**
+     * Generate a token depending on the user credentials with session protected disabled
+     */
+    public function testGenerateStaySignedInTokenSessionProtectionDisabled()
+    {
+        $this->configManager->set('security.session_protection_disabled', true);
+        $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
+
+        $this->assertEquals(
+            sha1($this->passwordHash . $this->salt),
+            $this->loginManager->getStaySignedInToken()
+        );
+    }
+
     /**
      * Check user login - Shaarli has not yet been configured
      */
-- 
cgit v1.2.3