Some openid fixes

[oss/stilllife.git] / forum / forum

diff --git a/forum/forum b/forum/forum
index c9bb2c6caa4e92a6c173f0a909ea2b86bfc63fe3..df265c3c6157b3723baa8ddfc2c95628ca22c10a 100755 (executable)
--- a/forum/forum
+++ b/forum/forum
@@ -377,6 +377,18 @@ sub fix_forum_links {
                } else {
                        $attr ="src";
                }
+               
+               # Обрабатываем наши специальные link rel=""
+               if ($element->tag eq "link") {
+                       if ($element->attr("rel") eq "forum-user-list") {
+                               $element->attr("href" => $cgi->url(-absolute=>1,
+                                       -path_info=>0,-query_string=>0).$forum->{userurl});
+                               next ELEMENT;   
+                       } elsif ($element->attr("rel") eq "forum-script")  {
+                               $element->attr("href" => $script_with_path);
+                               next ELEMENT;
+                       }       
+               }
                my $link = $element->attr($attr);
                # Абсолютная ссылка - оставляем как есть. 
                next ELEMENT if (! defined $link || $link=~/^\w+:/); 
@@ -457,6 +469,13 @@ sub authorize_user {
                dbmopen %sessbase,datafile($forum,"session"),0644;
                        if ($sessbase{$session})  {
                                my ($user,$expires,$ip)=split(";", $sessbase{$session});
+                               my $user_cookie = $cgi->cookie("sluser");
+                               if ($user_cookie ne $user && $user_cookie ne
+                               "http://".$user) {
+                                       clear_user_cookies($cgi,$forum);
+                                       show_error($forum,"Некорректная пользовательская сессия");
+                                       exit;
+                               }       
                                if (!defined $ip|| $ip eq $ENV{'REMOTE_ADDR'}) {
                                        my %userbase;
                                        dbmopen %userbase,datafile($forum,"passwd"),0644;
@@ -476,7 +495,11 @@ sub authorize_user {
                                        }       
                                        dbmclose %userbase; 
                                }       
-                       }       
+                       } else {
+                               clear_user_cookies($cgi,$forum);
+                               show_error($forum,"Некорректная пользовательская сессия");
+                               exit;
+                       }
                dbmclose %sessbase;
        }
 }
@@ -510,7 +533,9 @@ sub newsession {
        } while ($base->{$sessname});
        my $cookie = $cgi->cookie(-name=>"slsession",
                -expires => $forum->{"authperiod"},-value=> $sessname);
-       $base->{$sessname}=$user.";".str2time($cookie->expires()).
+       my $username = $user;
+       $username =~ s/^http:\/\///; #Remoove http:// from OpenID user names 
+       $base->{$sessname}=$username.";".str2time($cookie->expires()).
                ($ip?";$ENV{'REMOTE_ADDR'}":"");
                
        $forum->{'cookies'}=[ $cookie,
@@ -692,15 +717,19 @@ sub login {
                show_template(@_);
        }       
 }      
+sub clear_user_cookies {
+       my ($cgi,$forum) = @_;
+       $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0",
+       -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0",
+                       -expires => "-1m")];
+}                      
 #
 # Обработчик формы logout. В отличие от большинства обработчиков форм,
 # поддерживает обработку методом GET
 #
 sub logout {
        my ($form,$cgi,$forum) = @_;
-       $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0",
-       -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0",
-                       -expires => "-1m")];
+       clear_user_cookies($cgi,$forum);
        if (defined (my $session_id = $cgi->cookie("slsession"))) {
                my %sessiondb;
                dbmopen %sessiondb,datafile($forum,"session"),0644;
@@ -930,7 +959,7 @@ sub openid_verify {
                my %userbase;
                dbmopen %userbase,datafile($forum,"passwd"),0664;
                if (!$userbase{$user}) {
-                       $userbase{$user} = $forum->{authenticated}={};
+                       $userbase{$user} = $forum->{authenticated}={"openiduser"=>1};
                } else {
                        $forum->{authenticated} = thaw ($userbase{$user});
                }