Install Joomla 3.10.6
Set your session timeout to 1 minute
Create a secondary user, let's call it joomlalala
Log into the site's frontend with joomlalala
checking the Remember Me setting
Close the browser and wait for one minut
Log into the backend of the site with your primary Super User account
Update to Joomla 3.10.7
Go to the frontend of the site
You are logged into the site with joomlalala
using cookie authentication (Remember Me).
Log out of the site
Try to log back into the site with user joomlalala
using a password
You are logged into the site
You are NOT logged into the site
Completely irrelevant.
You are blindly setting the user's authProvider
field to whatever the login method's type
is, without checking if it corresponds to an existing plugin in the authentication
group or it's a placeholder or if it's even a secondary authentication method, like the cookie authentication!
You are then using that to lock the user to that non-existent or secondary authentication plugin which means that the user can no longer log in. Since the cookie was destroyed when the user logged out they can never log into the site again.
Related issue on Joomla 4: #37411
Labels |
Added:
No Code Attached Yet
|
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-29 21:07:13 |
Closed_By | ⇒ | richard67 |
I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.
The PR fixes the issue reported here and does not claim to fix others.
I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.
You are so right and i really hope they hear on you.
@sentixGmbH They did and this mess is being addressed right now.
Thx!
Confirmed and clearly a stupid mistake, see #37416