? Success

User tests: Successful: Unsuccessful:

avatar colivier
colivier
5 Oct 2015

For a security issue, if an authentication plugin detects an anomaly (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...), this plugin should have a mean to cancel the current authentication.

Today, the only way to cancel the authentication process is to disable authentication plugin of Joomla and rewrite another on the same model.

The status "cancel" is unused and perhaps it would be a good use.

avatar colivier colivier - open - 5 Oct 2015
avatar colivier colivier - change - 5 Oct 2015
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 5 Oct 2015
Labels Added: ?
avatar zero-24
zero-24 - comment - 5 Oct 2015

@colivier see: colivier#1 this should fix also the seccond Travis problem ;)

avatar zero-24 zero-24 - change - 5 Oct 2015
Category Authentication Libraries Plugins
avatar dam-man
dam-man - comment - 10 Oct 2015

Please add test instructions, otherwise it is not easy to test and to know what the results should be.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8018.

avatar colivier
colivier - comment - 12 Oct 2015

I'm sorry but there are no instructions for testing.

The only way to test is to create an authentication plugin and note that this plugin does not have the means to stop the authentication process. Today the only way to break out the loop is when an authentication plugin has identified an user but there is no way to break out the loop if a plugin identifies a problem (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...). If a plugin finds a problem, the loop continue and cannot be stop.

avatar wilsonge
wilsonge - comment - 31 Jul 2016

Hey,
I've been having a look over this as my company are in the process of building an authentication plugin at the moment. I think this is fine BUT you need to add the cancelled status to the list of denied states https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/cms/application/cms.php#L823 and
https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/legacy/application/application.php#L635

avatar colivier
colivier - comment - 1 Aug 2016

If an authentication plugin returns otherwise than STATUS_SUCCESS, the test at the line 627 of application.php fails and the login function is stopped.

avatar euismod2336
euismod2336 - comment - 4 Nov 2016

@colivier This cannot be merged at this point because the file and code was moved (now /libraries/joomla/authentication/authentication.php line 287).


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8018.

avatar colivier
colivier - comment - 4 Nov 2016

@euismod2336 thank you for the information, so I close the PR

avatar colivier colivier - change - 4 Nov 2016
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2016-11-04 13:35:51
Closed_By colivier
avatar colivier colivier - close - 4 Nov 2016
avatar joomla-cms-bot joomla-cms-bot - change - 4 Nov 2016
Category Authentication Libraries Plugins Libraries Authentication

Add a Comment

Login with GitHub to post a comment