Xataface Forums

I'm new to the forum here - working with the webauction application. I appreciate any guidance that might be available.

I set the site up - no problem. Works great. I imported a few hundred user records (via sql script, if that makes any difference at all), and I'm doing a little testing and I found out that if I have a username that matches the beginning part of another username, it logs me in as the wrong user.!

For instance, if I have these users:
bob
boba
bobb
bobc

I log in with bob, I actually get logged in as boba.

Has anyone else dealt with this, or seen it? Could anyone point me in the right direction to prevent this from happening? I ran a script on my base of login names and found 5 or 6 where this is the case - the full username is the beginning (substring) of another username (or usernames).

Thanks so much
s

Thanks for posting this. This is a critical issue.

To fix it, you need to make a change to the Dataface/AuthenticationTool.php file. Specifically the getLoggedInUser() method:

Code: Select all

/**
    * Returns reference to a Dataface_Record object of the currently logged in
    * user's record.
    */
   function &getLoggedInUser(){
      $null = null;
      if ( !$this->authEnabled ) return $null;
      if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){
         $user =&  $this->delegate->getLoggedInUser();
         return $user;
      }
      if ( !$this->isLoggedIn() ) return $null;
      static $user = 0;
      if ( $user === 0 ){
         $user = df_get_record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         if ( !$user ){
            $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         }
      }
      return $user;
      
   }


Change it to:

Code: Select all

/**
    * Returns reference to a Dataface_Record object of the currently logged in
    * user's record.
    */
   function &getLoggedInUser(){
      $null = null;
      if ( !$this->authEnabled ) return $null;
      if ( isset($this->delegate) and method_exists($this->delegate, 'getLoggedInUser') ){
         $user =&  $this->delegate->getLoggedInUser();
         return $user;
      }
      if ( !$this->isLoggedIn() ) return $null;
      static $user = 0;
      if ( $user === 0 ){
         $user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));
         if ( !$user ){
            $user = new Dataface_Record($this->usersTable, array($this->usernameColumn => $_SESSION['UserName']));
         }
      }
      return $user;
      
   }


Notice that all we did was change one line:

Code: Select all

$user = df_get_record($this->usersTable, array($this->usernameColumn => '='.$_SESSION['UserName']));


-Steve

There u go. I think that did the trick. I've only tested one user record so far, but everything worked like a charm.

Thanks very much for the help there.