Author
|
Message
|
Franck T.
|
Tuesday 21 February 2006 2:34:59 am
I'm running the 3.6.0 version for my intranet.
Sometimes, when people access the welcome page to log in, the form is already filled with the login name of another user (fortunaly nothing in the password field !).
Is this a cache problem or a security hole ? Has anyone using this version ever encountered the same problem ? Thanks.
|
Franck T.
|
Thursday 23 February 2006 12:19:51 am
Really no idea ?
|
Łukasz Serwatka
|
Thursday 23 February 2006 12:31:16 am
Isn't this feature of web browser which is use by your users? If you did not change login template, then eZ by default will not fill up login input.
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Thursday 23 February 2006 1:15:56 am
Thanks Lukasz. I didnt change the standard login form, so may be a feature to disable into the browser settings but wich one (we use IE 5 or 6) ?
|
Łukasz Serwatka
|
Thursday 23 February 2006 1:19:01 am
IE has something like auto-complete in input form and can remember logins. Look on IE advanced settings. Yes, you can reset or disable it. Probably some of your users choose "Remember my login" or something similar.
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Thursday 23 February 2006 2:19:51 am
Lucasz, let me give a litte precision: In my intranet, people must first login (login page). Next, they reach the main page where I've added a logout link like this:
{let thisuser=fetch('user','current_user')}
{section show=$thisuser.is_logged_in}
<b>Hello {$thisuser.contentobject.name} </b>
<a href="/ezfolder/index.php/sitename/user/logout" title="Quitt">[ To logout ]</a>
{/section}
{/let}
It seems that the problem doesn't occur when people access the site login page by http://ip/ezfolder/index.php/sitename but <b> when disconnecting </b>.
When disconnecting, they are redirected to the login page via the url: http://ip/ezfolder/index.php/sitename/user/login
and it's at this very moment that they see the pre-filled form with the login name of another user.
How can I redirect, after logout, to http://ip/ezfolder/index.php/sitename ? May be it can solve the problem ? If I don't mistake, the browser's settings keep your <b>own</b> informations but not other people's login informations... No?
|
Łukasz Serwatka
|
Thursday 23 February 2006 2:45:11 am
Does this heppen on IE only? What will happen when you redirect user after logout to home page? Check site.ini configuration file [UserSettings].
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Thursday 23 February 2006 3:40:29 am
Ok Lucasz, it seems to work fine when I redirect to the home page. I'll ask some users to try it this afternoon to be sure.
<i>Another question in the same idea please:</i> my users can edit their profile. No problem when they save changes, but when they click on the Discard button they get a kernel error with a message saying they cannot acces the page. I think it's because they are not allowed to read into the Users section but my question is how to redirect them to the welcome page both when they discard or when they save changes ? Thanks for your patience.
|
Łukasz Serwatka
|
Thursday 23 February 2006 4:50:54 am
Use one or both of this variables in edit object form
<input type="hidden" name="RedirectURIAfterPublish" value="/url/goes/here" />
<input type="hidden" name="RedirectIfDiscarded" value="/url/goes/here" />
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Thursday 23 February 2006 8:31:07 am
Really sorry Lucasz, I'm still searching but I don't know where to find this 'edit object form'...
|
Łukasz Serwatka
|
Thursday 23 February 2006 11:22:28 am
I'm Lukasz (no support for Polish letters here ;), not Lucasz ;) Lucasz looks like Italian "Luca" + Polish "sz" ;)
I don't know where to find this 'edit object form'
When your user edit own profile ( e.g /content/edit/14 for admin ) edit template for user calss is load. You will need to edit template which is assigned to user class ( look for /content/edit.tpl around 27 page on the "Complete template list" ) or If you using "Base" design then add this hidden inputs directly in design/base/override/templates/edit/user.tpl Hope it will help you now? Let us know if you still has problem.
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Friday 24 February 2006 1:05:35 am
Lukasz, you're my ez saviour !! Works fine with this:
<div class="buttonblock">
<input class="defaultbutton" type="submit" name="PublishButton" value="{'Store'|i18n('design/base')}" />
<input class="button" type="submit" name="DiscardButton" value="{'Cancel'|i18n('design/base')}" />
<input type="hidden" name="RedirectURI" value="/" />
<input type="hidden" name="DiscardConfirm" value="0" />
<input type="hidden" name="RedirectIfDiscarded" value="/" />
</div>
But may I ask you another ultimate question (-: ?
After some tests it also appears that the login form is auto-filled when the login operation fails. At this moment ez displays the message "Could not login - A valid name or password is required" and it fills the form with the name of the last logged user. Any idea about why does this happen ? Thanks a lot.
|
Łukasz Serwatka
|
Friday 24 February 2006 1:10:58 am
Good to see that redirection works ;)
Any idea about why does this happen ?
I asked above if this happened only on IE, or on other web browsers too? Can you test it with FF, Opera, or other web browser then IE?
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Friday 24 February 2006 1:21:11 am
It happens on both IE and Firefox. But I'm wondering about this line of my login.tpl:
...
<input type="hidden" name="RedirectURI" value="{$User:redirect_uri|wash}" />
What $user:redirect_uri means ? What if I alsochange this redirection ?
|
Łukasz Serwatka
|
Friday 24 February 2006 1:26:59 am
Remove {$User:login|wash} form the Login input field. This is eZp feature. This will solve the problem.
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|
Franck T.
|
Friday 24 February 2006 2:07:07 am
...
<div class="block">
<label for="id1">{"Username"|i18n("design/standard/user",'User name')}</label><div class="labelbreak"></div>
<input class="halfbox" type="text" size="10" name="Login" id="id1" tabindex="1" />
</div>
<div class="block">
...
And it works !!! Giant !!! Wonderful !!!
Lukasz, thanks a looooooooooooot, one more time !
Can you just explain me what was the problem ? Best regards,
|
Łukasz Serwatka
|
Friday 24 February 2006 2:20:54 am
When you type wrong password and you can't login, eZp shows again login in the input so you don't have to fill up it again. So {$User:login|wash} returns lat time typed login in the input.
Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog
|