Easier session handling or more info about It

[nesjett]

Motivation

I'm strugling with class2 to understand how session handling works, how to properly login/logout to build an interface for an API that will use e107 user system.

Proposed Solution

Refactoring of session handling or a point in the right direction on how sessions work/dependencies so I can maybe implement It by myself and do a pull request.

Right now class2 is messy and definetly not well explained, many things happen behind the scenes in "misterious" classes that are loadded from everywhere

Example

Using common post for user login to any URL works well, but getting the code that is aparently being used to login

e107::getUser()->login($name, $password, $autologin)

Is not working as expected, as in case the password is wrong, you still get getUser()->isUser() as true, and getUser()->getData() returns still all data of the username provided, like if the session was properly inited..

This means that somehwere else, e107 is performing a cleanup if the userLookup was wrong, but I really can't find this behaviour...

Greetings,

• Nesjett

[nesjett]

My findings so far:
Calling (user_model.php login() )

getUser()->login() 

Is not really checking if the login is successfull or not, as It is actually calling

new userlogin()->login()

Which actually performs the real login attempt, but Ignore It's results. The code so you understand better:

In user_model.php you will find this:

final public function login($uname, $upass_plain, $uauto = false, $uchallange = false, $noredirect = true)
	{
		if($this->isUser()) return false;

		$userlogin = new userlogin();
		$userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
		
		$userdata  = $userlogin->getUserData(); 
		
		$this->setSessionData(true)->setData($userdata);
		
		e107::getEvent()->trigger('user_login', $userdata); 	

		return $this->isUser();
	}

Notice the $userlogin->login() line, where it executes the function but ignores It's results.

Conclusion

Despite this extrange behaviour, e107 login system seems to work properly when used from within the class2.php script, but not if you attempt using the getUser()->login() method "standalone"

[Moc]

@Deltik can you provide some insight in this?

[Deltik]

@nesjett: I am able to reproduce your issue with this test:

diff --git a/e107_tests/tests/unit/e_user_modelTest.php b/e107_tests/tests/unit/e_user_modelTest.php
index fba624ced..e613a4fcf 100644
--- a/e107_tests/tests/unit/e_user_modelTest.php
+++ b/e107_tests/tests/unit/e_user_modelTest.php
@@ -377,7 +377,15 @@
 
                }
 */
+               /**
+                * @see https://github.com/e107inc/e107/issues/4236
+                */
+               public function testUserLoginWrongCredentialsNotUser()
+               {
+                       $user = e107::getUser();
+                       $user->login("e107", "DefinitelyTheWrongPassword");
 
-
-
+                       $this->assertFalse($user->isUser());
+                       $this->assertEmpty($user->getData());
+               }
        }

It's hard to imagine that this is intended behavior because the result is counterintuitive. I will try to make this test pass.

[Deltik]

@Moc and @CaMer0n: Breaking change pull request ready for you to review: #4238