SONAR-3968 Sonar should not allow any login with a blank password even when this...

author Julien Lancelot <julien.lancelot@gmail.com>

Tue, 27 Nov 2012 09:44:40 +0000 (10:44 +0100)

committer Julien Lancelot <julien.lancelot@gmail.com>

Tue, 27 Nov 2012 09:46:09 +0000 (10:46 +0100)
author Julien Lancelot <julien.lancelot@gmail.com>
Tue, 27 Nov 2012 09:44:40 +0000 (10:44 +0100)
committer Julien Lancelot <julien.lancelot@gmail.com>
Tue, 27 Nov 2012 09:46:09 +0000 (10:46 +0100)
diff --git a/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties b/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties

index a21573326fccd4fe4f560189631a2440a4b1dd48..8ab87ede62fbfe3cae25ad754330197b45e2d932 100644 (file)
--- a/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties
+++ b/plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties
@@ -375,6 +375,7 @@ sessions.confirm_password=Confirm password
  sessions.sign_up=Sign up
  sessions.old_account=<a href="{0}" tabindex="-1">Log in</a> if you already have an account.
  session.flash_notice.authentication_failed=Authentication failed.
+session.flash_notice.empty_password=Password can't be blank.
  session.flash_notice.logged_out=You have been logged out.
  
  #------------------------------------------------------------------------------
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb

index 3098ad32268629985d130c8bd91b002c3af5eece..4b56c58b76cd0ae0517e22e22900fc8e7098a0e0 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb
@@ -26,16 +26,19 @@ class SessionsController < ApplicationController
    
    def login
      return unless request.post?
-
-    self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
-    if logged_in?
-      if params[:remember_me] == '1'
-        self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
-      end
-      redirect_back_or_default(home_url)
+    if params[:password].blank?
+      flash.now[:loginerror] = message('session.flash_notice.empty_password')
      else
-      flash.now[:loginerror] = message('session.flash_notice.authentication_failed')
+      self.current_user = User.authenticate(params[:login], params[:password], servlet_request)
+      if logged_in?
+        if params[:remember_me] == '1'
+          self.current_user.remember_me
+          cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+        end
+        redirect_back_or_default(home_url)
+      else
+        flash.now[:loginerror] = message('session.flash_notice.authentication_failed')
+      end
      end
    end
  
diff --git a/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb b/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb

index 7e3ffd3a7e021da099652f7f6c57dd9259fabcb7..7c2a5fd405027df3ba6290555053fe7645f8f2e4 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb
@@ -49,26 +49,28 @@ class PluginRealm
    end
  
    def authenticate?(username, password, servlet_request)
-    details=nil
-    if @java_users_provider
-      begin
-        provider_context = org.sonar.api.security.ExternalUsersProvider::Context.new(username, servlet_request)
-        details = @java_users_provider.doGetUserDetails(provider_context)
-      rescue Exception => e
-        Rails.logger.error("Error from external users provider: #{e.message}")
-        @save_password ? fallback(username, password) : false
-      else
-        if details
-          # User exist in external system
-          auth(username, password, servlet_request, details)
+    unless password.blank?
+      details=nil
+      if @java_users_provider
+        begin
+          provider_context = org.sonar.api.security.ExternalUsersProvider::Context.new(username, servlet_request)
+          details = @java_users_provider.doGetUserDetails(provider_context)
+        rescue Exception => e
+          Rails.logger.error("Error from external users provider: #{e.message}")
+          @save_password ? fallback(username, password) : false
          else
-          # No such user in external system
-          fallback(username, password)
+          if details
+            # User exist in external system
+            auth(username, password, servlet_request, details)
+          else
+            # No such user in external system
+            fallback(username, password)
+          end
          end
+      else
+        # Legacy authenticator
+        auth(username, password, servlet_request, nil)
        end
-    else
-      # Legacy authenticator
-      auth(username, password, servlet_request, nil)
      end
    end
author	Julien Lancelot <julien.lancelot@gmail.com>
	Tue, 27 Nov 2012 09:44:40 +0000 (10:44 +0100)
committer	Julien Lancelot <julien.lancelot@gmail.com>
	Tue, 27 Nov 2012 09:46:09 +0000 (10:46 +0100)
plugins/sonar-core-plugin/src/main/resources/org/sonar/l10n/core.properties		patch \| blob \| history
sonar-server/src/main/webapp/WEB-INF/app/controllers/sessions_controller.rb		patch \| blob \| history
sonar-server/src/main/webapp/WEB-INF/lib/need_authentication.rb		patch \| blob \| history