Merge branch 'release/2.4.3'

getgrav · Oct 11, 2017 · 1894028 · 1894028
2 parents 244cfd2 + af3c7f8
commit 1894028
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v2.4.3
+## 10/11/2017
+
+1. [](#bugfix)
+ * Fix an issue when a user only has `groups` and no `access` defined [#134](https://github.com/getgrav/grav-plugin-login/issues/134)
+ * Escape untrusted URLs in the template files
+
 # v2.4.2
 ## 09/29/2017
 

diff --git a/blueprints.yaml b/blueprints.yaml
@@ -1,5 +1,5 @@
 name: Login
-version: 2.4.2
+version: 2.4.3
 description: Enables user authentication and login screen.
 icon: sign-in
 author:
@@ -13,7 +13,7 @@ bugs: https://github.com/getgrav/grav-plugin-login/issues
 license: MIT
 
 dependencies:
- - { name: grav, version: '>=1.3.3' }
+ - { name: grav, version: '>=1.3.5' }
  - { name: form, version: '>=2.4.0' }
  - { name: email, version: '~2.0' }
 

diff --git a/login.php b/login.php
@@ -491,7 +491,7 @@ public function authorizePage()
  {
  /** @var User $user */
  $user = $this->grav['user'];
- if (!$user->get('access')) {
+ if (!($user->get('access') || $user->get('groups'))) {
  $user = User::load($user->get('username'));
  }
 

diff --git a/templates/partials/forgot-form.html.twig b/templates/partials/forgot-form.html.twig
@@ -3,7 +3,7 @@
 
  {% include 'partials/messages.html.twig' %}
 
- <form method="post" action="{{ base_url_relative ~ uri.path }}">
+ <form method="post" action="{{ (base_url_relative ~ uri.path)|e }}">
  {% for field in form.fields %}
  {% if field.type %}
  <div>

diff --git a/templates/partials/login-form.html.twig b/templates/partials/login-form.html.twig
@@ -6,12 +6,12 @@
  {% if grav.user.authenticated %}
  <h4>{{ 'PLUGIN_LOGIN.WELCOME'|t }} <strong>{{ grav.user.fullname ?: grav.user.username }}</strong></h4>
  <hr>
- <a class="button logout" href="{{ uri.addNonce(base_url_relative ~ uri.path ~ '/task' ~ config.system.param_sep ~ 'login.logout', 'logout-form', 'logout-nonce') }}">{{ 'PLUGIN_LOGIN.BTN_LOGOUT'|t }}</a>
+ <a class="button logout" href="{{ uri.addNonce(base_url_relative ~ uri.path ~ '/task' ~ config.system.param_sep ~ 'login.logout', 'logout-form', 'logout-nonce')|e }}">{{ 'PLUGIN_LOGIN.BTN_LOGOUT'|t }}</a>
 
  {% else %}
  {{ content|raw }}
 
- <form method="post" action="{{ base_url_relative ~ uri.path }}">
+ <form method="post" action="{{ (base_url_relative ~ uri.path)|e }}">
  {% if grav.twig.plugins_hooked_loginPage %}
  {% for label in grav.twig.plugins_hooked_loginPage %}
  {% include label %}

diff --git a/templates/partials/login-status.html.twig b/templates/partials/login-status.html.twig
@@ -1,5 +1,5 @@
 <span class="login-status">
  {% if grav.user.authenticated %}
- {{ 'PLUGIN_LOGIN.WELCOME'|t }} <strong>{{ grav.user.fullname ?: grav.user.username }}</strong>, <a class="logout" href="{{ uri.addNonce((base_url_relative ~ uri.path)|trim('/') ~ '/task' ~ config.system.param_sep ~ 'login.logout', 'logout-form', 'logout-nonce') }}">{{ 'PLUGIN_LOGIN.BTN_LOGOUT'|t }}</a>
+ {{ 'PLUGIN_LOGIN.WELCOME'|t }} <strong>{{ grav.user.fullname ?: grav.user.username }}</strong>, <a class="logout" href="{{ uri.addNonce((base_url_relative ~ uri.path)|trim('/') ~ '/task' ~ config.system.param_sep ~ 'login.logout', 'logout-form', 'logout-nonce')|e }}">{{ 'PLUGIN_LOGIN.BTN_LOGOUT'|t }}</a>
  {% endif %}
 </span>
diff --git a/templates/partials/reset-form.html.twig b/templates/partials/reset-form.html.twig
@@ -4,7 +4,7 @@
 
  {% include 'partials/messages.html.twig' %}
 
- <form method="post" action="{{ base_url_relative ~ uri.path }}">
+ <form method="post" action="{{ (base_url_relative ~ uri.path)|e }}">
  {% for field in form.fields %}
  {% set value = attribute(grav.twig.twig_vars, field.name) is defined ? attribute(grav.twig.twig_vars, field.name) : null %}