Currently GA login only allows to give the user full permissions concerning his key management or none. Normally as side admin you would give the user full permissions.

However, if the user can freely change his login key this opens a security hole. If an attack is successful to access the user profile (social engineering or XSS) he can change the key and login even if the user and the site admin fells save. I think the permissions should have an additional option to allow the user to set a key only once.

I am thinking of something like this:

@@ -44,18 +51,22 @@ function ga_login_create_access($target_account, $account = NULL) {
*/
function ga_login_permission() {
return array(
+ 'create once own login code' => array(
+ 'title' => t('Create only once own login code'),
+ 'description' => t('Allows users to create only once own GA login code and deny further generations.'),
+ ),
'create own login code' => array(
'title' => t('Create own login code'),

and the access function:

@@ -34,7 +27,21 @@ function ga_login_create_access($target_account, $account = NULL) {
$account = $user;
}
if ($account->uid == $target_account->uid) {
- return user_access('create own login code', $account) || user_access('create others login codes', $account);
+ $access = user_access('create own login code', $account) || user_access('create others login codes', $account);
+ if ($access) {
+ // user already has access
+ return TRUE;
+ }
+ if (user_access('create once own login code', $account)) {
+ // check if the user already has a code
+ module_load_include('php', 'ga_login', 'ga_login.class');
+ $ga = new ga_loginGA(10);
+ $username = _ga_login_username($account);
+ if (!$ga->hasToken($username)) {
+ return TRUE;
+ } else {
+ }
+ }
}
return user_access('create others login codes', $account);
}

Comments

Jelle_S’s picture

Status:Active» Fixed

Fixed in latest dev. Thanks for the patches!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.