summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-08-11 17:35:03 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-08-11 21:04:38 +0200
commit1c9db1d1f14d5f83d8bd7dbbd535cf109680471f (patch)
treef0d43b6b7364deed54fb8317e7d8b0ffb52ed5a0
parenta47f4915dcc057b8b57130886e009db9ca6afd44 (diff)
downloadaur-1c9db1d1f14d5f83d8bd7dbbd535cf109680471f.tar.gz
aur-1c9db1d1f14d5f83d8bd7dbbd535cf109680471f.tar.xz
Add a configuration setting to disallow HTTP login
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/lib/aur.inc.php7
-rw-r--r--web/lib/config.inc.php.proto3
-rw-r--r--web/template/login_form.php10
3 files changed, 17 insertions, 3 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 0927604a..474ebeed 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -326,9 +326,12 @@ function html_header($title="") {
global $_POST;
global $LANG;
global $SUPPORTED_LANGS;
+ global $DISABLE_HTTP_LOGIN;
- $login = try_login();
- $login_error = $login['error'];
+ if (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) {
+ $login = try_login();
+ $login_error = $login['error'];
+ }
$title = htmlspecialchars($title, ENT_QUOTES);
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
index f710844d..0f672abe 100644
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@@ -71,3 +71,6 @@ $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
# please ensure "upload_max_filesize" is additionally set to no more than 3M,
# otherwise this check might be easy to bypass (FS#22991 for details)
$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;
+
+# Allow HTTPs logins only
+$DISABLE_HTTP_LOGIN = true;
diff --git a/web/template/login_form.php b/web/template/login_form.php
index ca81e0e7..b351a27e 100644
--- a/web/template/login_form.php
+++ b/web/template/login_form.php
@@ -6,7 +6,7 @@ if (isset($_COOKIE["AURSID"])) {
<a href="logout.php">[<?php print __("Logout"); ?>]</a>
<?php
}
-else {
+elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) {
if ($login_error) {
print "<span class='error'>" . $login_error . "</span><br />\n";
}
@@ -26,5 +26,13 @@ else {
<a href="passreset.php">[<?php echo __('Forgot Password') ?>]</a>
</div>
</form>
+<?php
+}
+else {
+?>
+<span class='error'>
+ <?php echo __("HTTP login is disabled. Please switch to HTTPs if you want to login: "); ?>
+ <a href="https://aur.archlinux.org/">https://aur.archlinux.org/</a>
+</span>
<?php } ?>
</div>