mirror of
https://github.com/OrchardCMS/Orchard.git
synced 2025-08-24 05:19:53 +08:00
#17691: Possible to create invalid admin account with Turkish collation
--HG-- branch : 1.x
This commit is contained in:
Andre Rodrigues
parent
a4248217cd
commit
0073fbd1a9
@ -1,4 +1,6 @@
|
||||
using System;
|
||||
using System.Globalization;
|
||||
using System.Threading;
|
||||
using System.Xml.Linq;
|
||||
using Autofac;
|
||||
using Moq;
|
||||
@ -39,6 +41,7 @@ namespace Orchard.Tests.Modules.Users.Services {
|
||||
private ISessionFactory _sessionFactory;
|
||||
private ISession _session;
|
||||
private IContainer _container;
|
||||
private CultureInfo _currentCulture;
|
||||
|
||||
|
||||
public class TestSessionLocator : ISessionLocator {
|
||||
@ -55,6 +58,7 @@ namespace Orchard.Tests.Modules.Users.Services {
|
||||
|
||||
[TestFixtureSetUp]
|
||||
public void InitFixture() {
|
||||
_currentCulture = Thread.CurrentThread.CurrentCulture;
|
||||
var databaseFileName = System.IO.Path.GetTempFileName();
|
||||
_sessionFactory = DataUtility.CreateSessionFactory(
|
||||
databaseFileName,
|
||||
@ -66,7 +70,7 @@ namespace Orchard.Tests.Modules.Users.Services {
|
||||
|
||||
[TestFixtureTearDown]
|
||||
public void TermFixture() {
|
||||
|
||||
Thread.CurrentThread.CurrentCulture = _currentCulture;
|
||||
}
|
||||
|
||||
[SetUp]
|
||||
@ -122,5 +126,18 @@ namespace Orchard.Tests.Modules.Users.Services {
|
||||
Assert.That(username, Is.EqualTo("foo"));
|
||||
Assert.That(validateByUtc, Is.GreaterThan(_clock.UtcNow));
|
||||
}
|
||||
|
||||
[Test]
|
||||
public void VerifyUserUnicityTurkishTest() {
|
||||
CultureInfo turkishCulture = new CultureInfo("tr-TR");
|
||||
Thread.CurrentThread.CurrentCulture = turkishCulture;
|
||||
|
||||
// Create user lower case
|
||||
_membershipService.CreateUser(new CreateUserParams("admin", "66554321", "foo@bar.com", "", "", true));
|
||||
_container.Resolve<IOrchardServices>().ContentManager.Flush();
|
||||
|
||||
// Verify unicity with upper case which with turkish coallition would yeld admin with an i without the dot and therefore generate a different user name
|
||||
Assert.That(_userService.VerifyUserUnicity("ADMIN", "differentfoo@bar.com"), Is.False);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -48,7 +48,7 @@ namespace Orchard.Roles.Services {
|
||||
for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) {
|
||||
if (!context.Granted && context.User != null) {
|
||||
if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) &&
|
||||
String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.OrdinalIgnoreCase)) {
|
||||
String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) {
|
||||
context.Granted = true;
|
||||
}
|
||||
}
|
||||
|
||||
@ -241,11 +241,11 @@ namespace Orchard.Users.Controllers {
|
||||
}
|
||||
else {
|
||||
// also update the Super user if this is the renamed account
|
||||
if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, previousName, StringComparison.OrdinalIgnoreCase)) {
|
||||
if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, previousName, StringComparison.Ordinal)) {
|
||||
_siteService.GetSiteSettings().As<SiteSettingsPart>().SuperUser = editModel.UserName;
|
||||
}
|
||||
|
||||
user.NormalizedUserName = editModel.UserName.ToLower();
|
||||
user.NormalizedUserName = editModel.UserName.ToLowerInvariant();
|
||||
}
|
||||
}
|
||||
|
||||
@ -272,10 +272,10 @@ namespace Orchard.Users.Controllers {
|
||||
var user = Services.ContentManager.Get<IUser>(id);
|
||||
|
||||
if (user != null) {
|
||||
if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, user.UserName, StringComparison.OrdinalIgnoreCase)) {
|
||||
if (String.Equals(Services.WorkContext.CurrentSite.SuperUser, user.UserName, StringComparison.Ordinal)) {
|
||||
Services.Notifier.Error(T("The Super user can't be removed. Please disable this account or specify another Super user account"));
|
||||
}
|
||||
else if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.OrdinalIgnoreCase)) {
|
||||
else if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.Ordinal)) {
|
||||
Services.Notifier.Error(T("You can't remove your own account. Please log in with another account"));
|
||||
}
|
||||
else{
|
||||
@ -323,7 +323,7 @@ namespace Orchard.Users.Controllers {
|
||||
var user = Services.ContentManager.Get<IUser>(id);
|
||||
|
||||
if (user != null) {
|
||||
if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.OrdinalIgnoreCase)) {
|
||||
if (String.Equals(Services.WorkContext.CurrentUser.UserName, user.UserName, StringComparison.Ordinal)) {
|
||||
Services.Notifier.Error(T("You can't disable your own account. Please log in with another account"));
|
||||
}
|
||||
else {
|
||||
|
||||
@ -49,7 +49,7 @@ namespace Orchard.Users.Services {
|
||||
|
||||
user.Record.UserName = createUserParams.Username;
|
||||
user.Record.Email = createUserParams.Email;
|
||||
user.Record.NormalizedUserName = createUserParams.Username.ToLower();
|
||||
user.Record.NormalizedUserName = createUserParams.Username.ToLowerInvariant();
|
||||
user.Record.HashAlgorithm = "SHA1";
|
||||
SetPassword(user.Record, createUserParams.Password);
|
||||
|
||||
@ -97,13 +97,13 @@ namespace Orchard.Users.Services {
|
||||
}
|
||||
|
||||
public IUser GetUser(string username) {
|
||||
var lowerName = username == null ? "" : username.ToLower();
|
||||
var lowerName = username == null ? "" : username.ToLowerInvariant();
|
||||
|
||||
return _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
|
||||
}
|
||||
|
||||
public IUser ValidateUser(string userNameOrEmail, string password) {
|
||||
var lowerName = userNameOrEmail == null ? "" : userNameOrEmail.ToLower();
|
||||
var lowerName = userNameOrEmail == null ? "" : userNameOrEmail.ToLowerInvariant();
|
||||
|
||||
var user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ namespace Orchard.Users.Services {
|
||||
public ILogger Logger { get; set; }
|
||||
|
||||
public bool VerifyUserUnicity(string userName, string email) {
|
||||
string normalizedUserName = userName.ToLower();
|
||||
string normalizedUserName = userName.ToLowerInvariant();
|
||||
|
||||
if (_contentManager.Query<UserPart, UserPartRecord>()
|
||||
.Where(user =>
|
||||
@ -51,7 +51,7 @@ namespace Orchard.Users.Services {
|
||||
}
|
||||
|
||||
public bool VerifyUserUnicity(int id, string userName, string email) {
|
||||
string normalizedUserName = userName.ToLower();
|
||||
string normalizedUserName = userName.ToLowerInvariant();
|
||||
|
||||
if (_contentManager.Query<UserPart, UserPartRecord>()
|
||||
.Where(user =>
|
||||
@ -115,7 +115,7 @@ namespace Orchard.Users.Services {
|
||||
}
|
||||
|
||||
public bool SendLostPasswordEmail(string usernameOrEmail, Func<string, string> createUrl) {
|
||||
var lowerName = usernameOrEmail.ToLower();
|
||||
var lowerName = usernameOrEmail.ToLowerInvariant();
|
||||
var user = _contentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName || u.Email == lowerName).List().FirstOrDefault();
|
||||
|
||||
if (user != null) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user