SlatePermutate Changeset - 182b6be0813e · protofusion repositories

Changeset - 182b6be0813e

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Nathan Brink (binki) - 13 years ago 2012-11-09 22:59:20
ohnobinki@ohnopublishing.net

Fix the support for automatic WebAdvisor registration to not enter infinite loops.

The automatic registration process used to enter an infinite loop
every time it was used if the user had been previously issued a
TOKENIDX by WebAdvisor. This means that it would work the first time
in most cases but rarely a second time, if ever. Now we use
LASTTOKEN=NULL instead of TOKENIDX= to request a new token and it
works pretty well.

2 files changed with 42 insertions and 46 deletions:

scripts/webadvisor_tokenidx.js

webadvisor.php

0 comments (0 inline, 0 general)

scripts/webadvisor_tokenidx.js

➞

Show inline comments

 /* -*- tab-width: 4; -*-
  * Copyright 2010 Nathan Gelderloos, Ethan Zonca, Nathan Phillip Brink
+ *
  * This file is part of SlatePermutate.
+ *
  * SlatePermutate is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
  * (at your option) any later version.
+ *
  * SlatePermutate is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Affero General Public License for more details.
+ *
  * You should have received a copy of the GNU Affero General Public License
  * along with SlatePermutate.  If not, see <http://www.gnu.org/licenses/>.
  */
 /*
  * Assumes that WebAdvisor_scripts.js for WebAdvisor-2.x is loaded,
  * displayFormHTML() or something was called and thus
@@ @@ -29,8 +48,14 @@ var slate_permutate_input_login; @@
 				/*
 				 * Discover the TOKENIDX if it's available.
 				 */
 				var sp_err = document.getElementById('sp_err');
 				if (containsParameter(g_tokenIdx))
+				{
 					/* Remove the warning about the script not having loaded */
 					sp_err.replaceChild(document.createTextNode("Slate Permutate TOKENIDX-acquiring script loaded…"), sp_err.firstChild);
 					sp_err.setAttribute('style', 'color: grey;');
 					/* Inform home base of the newly generated TOKENIDX. */
 						var TOKENIDX = getURLParameter(g_tokenIdx);
 						var myscript = document.createElement('script');
 						myscript.setAttribute('type', 'text/javascript');
@@ @@ -39,7 +64,9 @@ var slate_permutate_input_login; @@
+				}
 				else
+				{
 						alert('Unable to discover TOKENIDX. You must register manually.');
 					sp_err.replaceChild(document.createTextNode('Slate Permutate unable to acquire TOKENIDX. You must register manually.'), sp_err.firstChild);
 					sp_err.setAttribute('style', 'color: red; background: yellow;');
 						alert('Unable to discover WebAdvisor TOKENIDX. You must register manually.');
+				}
+		}
@@ @@ -66,5 +93,9 @@ function slate_permutate_token_callback( @@
+		{
 				slate_permutate_input_login.setAttribute('value', 'LOG IN');
 				slate_permutate_input_login.removeAttribute('disabled');
 			var sp_err = document.getElementById('sp_err');
 			sp_err.replaceChild(document.createTextNode('Slate Permutate has acquired WebAdvisor TOKENIDX, ready for login.'), sp_err.firstChild);
 			sp_err.setAttribute('style', 'color: green;');
+		}
+}

webadvisor.php

➞

Show inline comments

@@ @@ -39,6 +39,8 @@ if (!empty($_GET['TOKENIDX'])) @@
     echo json_encode($result);
     if ($jsonp)
       echo ");\n";
     if ($jsonp && !empty($_GET['destination']))
       echo 'document.location.href = ' . json_encode($_GET['destination']) . ";\n";
     exit;
+  }
@@ @@ -111,53 +113,16 @@ function webadvisor_login($page, array $ @@
    * to keep redirecting to itself infinitely. Similarly, if the
    * browser does not yet have a TOKENIDX-related cookie,
    * SS=LGRQ&URL=<URL> will redirect the user to URL without giving
    * the user a cookie. Thus, our strategy is:
+   *
    * 1. Send the user to
    *    SS=LGRQ&URL=<URL>&SP_CALLBACK=<SP_CALLBACK>&ERROR=<XSS>. In
    *    this case, the URL will be set to have `from_webadvisor' as a
    *    GET parameter and ERROR will be set to the appropriate XSS for
    *    the normal login form. Thus, if the user does not have a
    *    token, he will be directed here and sent to step #2 to get a
    *    token. Otherwise, the user will have a jump start (already
    *    having TOKENIDX cookies) and communicate his token to us while
    *    logging in.
+   *
    * 2. If webadvisor.php is called with from_webadvisor, that means
    *    one of two things. It might mean that webadvisor_tokenidx.js
    *    was called successfully and we have the webadvisor TOKENIDX
    *    stored in our session. In that case, the user's browser
    *    already had a WebAdvisor TOKENIDX before we did #1; also, this
    *    function won't be called in that case because this function is
    *    only called if TOKENIDX is unknown. Thus, we don't know the
    *    TOKENIDX, meaning that we need to request that the WebAdvisor
    *    installation allocate a TOKENIDX for the user and _then_
    *    proceed directly to the login page to send us TOKENIDX.
    * the user a cookie. Thus, our strategy is to specify
    * LASTTOKEN=NULL: this is the magic which prevents the silly
    * infinite looping when the user already has cookies and also works
    * when the user doesn’t have a cookie to start with.
    */
   $login_form_uri = $school['webadvisor_url'] . '?SS=LGRQ&URL=' . rawurlencode($dest)
+  $login_form_uri = $school['webadvisor_url'] . '?LASTTOKEN=NULL&SS=LGRQ&URL=' . rawurlencode($dest)
     . '&SP_CALLBACK=' . rawurlencode($tokenidx_callback)
     . '&ERROR=' . rawurlencode('<script type="text/javascript" src="' . htmlentities(page::uri_resolve('scripts/webadvisor_tokenidx.js'), ENT_QUOTES) . '"></script>');
   if (isset($_GET['from_webadvisor']))
     /*
      * Case 2, infer that browser needs TOKENIDX cookies _and_ that
      * the following URI won't cause endless looping
      * (hopefully). Unfortunately, this process is not reentrant.
      */
     redir($school['webadvisor_url'] . '?TOKENIDX=&SS=LGRQ&URL=' . rawurlencode($login_form_uri));
   /*
    * Case 1, assume that the user has a TOKENIDX cookie _but_ make
    * provisions ($dest has from_webadvisor in it) for needing to
    * allocate that cookie.
    */
     . '&ERROR=' . rawurlencode('<script type="text/javascript" src="' . htmlentities(page::uri_resolve('scripts/webadvisor_tokenidx.js?20121110f'), ENT_QUOTES) . '"></script><span id="sp_err">Slate Permutate loading… (automatic registration may not be working)</span>');
   redir($login_form_uri);
   return array(
     /* 'preload' => $school['webadvisor_url'] . '?TYPE=P&PID=UT-LGRQ&PROCESS=-XUTAUTH01&URL=', */
     'uri' => $school['webadvisor_url'] . '?SS=LGRQ&URL=' . rawurlencode($login_form_uri),
   );
+}
 function redir($dest)
@@ @@ -184,8 +149,8 @@ if (empty($_SESSION['webadvisor_TOKENIDX @@
+  {
     /*
      * Get a token for the ST-WERG form and have the user perform the
      * WebAdmin-specific login. This can only be done after the login form
      * has an SS allocated for it.
      * WebAdvisor-specific login. This can only be done after the
      * login form has an SS allocated for it.
      */
     webadvisor_login($page, $school, page::uri_resolve('webadvisor.php') . '?r=' . rand()
 		     . '&sections=' . rawurlencode(empty($_GET['sections']) ? '' : $_GET['sections'])

0 comments (0 inline, 0 general)