Index: /branches/release-38/extras/examples/plugins/CommentByGoogleAccount/lib/CommentByGoogleAccount.pm =================================================================== --- /branches/release-38/extras/examples/plugins/CommentByGoogleAccount/lib/CommentByGoogleAccount.pm (revision 2062) +++ /branches/release-38/extras/examples/plugins/CommentByGoogleAccount/lib/CommentByGoogleAccount.pm (revision 2365) @@ -39,10 +39,4 @@ my $nick_escaped = escape_unicode($nick); $nick = encode_text($nick, 'utf-8', undef); - $session = $app->make_commenter_session($app->make_magic_token, $email, - $name, $nick_escaped); - unless ($session) { - $app->error($app->errstr() || $app->translate("Couldn't save the session")); - return 0; - } $cmntr = $app->_make_commenter( email => $email, @@ -52,4 +46,10 @@ auth_type => $auth_type, ); + + $session = $app->make_commenter_session($cmntr); + unless ($session) { + $app->error($app->errstr() || $app->translate("Couldn't save the session")); + return 0; + } } else { # If there's no signature, then we trust the cookie. Index: /branches/release-38/lib/MT/Auth/TypeKey.pm =================================================================== --- /branches/release-38/lib/MT/Auth/TypeKey.pm (revision 2062) +++ /branches/release-38/lib/MT/Auth/TypeKey.pm (revision 2365) @@ -14,5 +14,5 @@ my $class = shift; my ($app, $auth_type) = @_; - my $q = $app->{query}; + my $q = $app->param; my $sig_str = $q->param('sig'); @@ -34,67 +34,40 @@ my $cmntr; my $session; - if ($sig_str) { - if (!$class->_validate_signature($app, $sig_str, - token => $blog->effective_remote_auth_token, - email => decode_url($email), - name => decode_url($name), - nick => decode_url($nick), - ts => $ts)) - { - # Signature didn't match, or timestamp was out of date. - # This implies tampering, not a user mistake. - $app->error($app->translate("The sign-in validation failed.")); - return 0; - } - - if ($blog->require_typekey_emails && !is_valid_email($email)) { - $q->param('email', ''); # blank out email address since it's invalid - $app->error($app->translate("This weblog requires commenters to pass an email address. If you'd like to do so you may log in again, and give the authentication service permission to pass your email address.")); - return 0; - } - - my $url = $app->{cfg}->IdentityURL; - $url .= "/" unless $url =~ m|/$|; - $url .= $name; - - # Signature was valid, so create a session, etc. - my $enc = $app->{cfg}->PublishCharset || ''; - my $nick_escaped = escape_unicode($nick); - $nick = encode_text($nick, 'utf-8', undef); - $session = $app->make_commenter_session($sig_str, $email, - $name, $nick_escaped, undef, $url); - unless ($session) { - $app->error($app->errstr() || $app->translate("Couldn't save the session")); - return 0; - } - $cmntr = $app->_make_commenter( - email => $email, - nickname => $nick, - name => $name, - url => $url, - auth_type => $auth_type, - ); - } else { - # If there's no signature, then we trust the cookie. - my %cookies = $app->cookies(); - my $cookie_name = MT::App::COMMENTER_COOKIE_NAME(); - if ($cookies{$cookie_name} - && ($session = $cookies{$cookie_name}->value())) - { - require MT::Session; - require MT::Author; - my $sess = MT::Session->load({id => $session}) - or return 0; - $cmntr = MT::Author->load({name => $sess->name, - type => MT::Author::COMMENTER(), - auth_type => $auth_type}) - or return 0; - if ($blog->require_typekey_emails - && !is_valid_email($cmntr->email)) - { - $app->error($app->translate("This blog requires commenters to provide an email address")); - return 0; - } - } + + if (!$class->_validate_signature($app, $sig_str, + token => $blog->effective_remote_auth_token, + email => decode_url($email), + name => decode_url($name), + nick => decode_url($nick), + ts => $ts)) + { + # Signature didn't match, or timestamp was out of date. + # This implies tampering, not a user mistake. + $app->error($app->translate("The sign-in validation failed.")); + return 0; + } + + if ($blog->require_typekey_emails && !is_valid_email($email)) { + $q->param('email', ''); # blank out email address since it's invalid + $app->error($app->translate("This weblog requires commenters to pass an email address. If you'd like to do so you may log in again, and give the authentication service permission to pass your email address.")); + return 0; + } + + my $url = $app->config('IdentityURL'); + $url .= "/" unless $url =~ m|/$|; + $url .= $name; + + # Signature was valid, so create a session, etc. + $cmntr = $app->_make_commenter( + email => $email, + nickname => $nick, + name => $name, + url => $url, + auth_type => $auth_type, + ); + $session = $app->make_commenter_session($cmntr); + unless ($session) { + $app->error($app->errstr() || $app->translate("Couldn't save the session")); + return 0; } if ($q->param('sig') && !$cmntr) { @@ -112,6 +85,4 @@ # the DSA sig parameter is composed of the two pieces of the # real DSA sig, packed in Base64, separated by a colon. - -# my ($r, $s) = split /:/, decode_url($sig_str); my ($r, $s) = split /:/, $sig_str; $r =~ s/ /+/g; @@ -130,5 +101,5 @@ require MT::Util; import MT::Util ('dsa_verify'); my $msg; - if ($app->{cfg}->TypeKeyVersion eq '1.1') { + if ($app->config('TypeKeyVersion') eq '1.1') { $msg = ($params{email} . "::" . $params{name} . "::" . $params{nick} . "::" . $params{ts} . "::" . $params{token}); @@ -150,8 +121,8 @@ if ( ! $dsa_key ) { # Load the override key - $dsa_key = $app->{cfg}->get('SignOnPublicKey'); + $dsa_key = $app->config->get('SignOnPublicKey'); } # Load the DSA key from the RegKeyURL - my $key_location = $app->{cfg}->RegKeyURL; + my $key_location = $app->config('RegKeyURL'); if (!$dsa_key && $key_location) { my $ua = $app->new_ua; Index: /branches/release-38/lib/MT/Auth/OpenID.pm =================================================================== --- /branches/release-38/lib/MT/Auth/OpenID.pm (revision 2062) +++ /branches/release-38/lib/MT/Auth/OpenID.pm (revision 2365) @@ -114,9 +114,5 @@ # Signature was valid, so create a session, etc. - my $enc = $app->{cfg}->PublishCharset || ''; - my $nick_escaped = escape_unicode($nick); - $nick = encode_text($nick, 'utf-8', undef); - $session = $app->make_commenter_session($app->make_magic_token, q(), - $name, $nick_escaped, undef, $name); + $session = $app->make_commenter_session($cmntr); unless ($session) { $app->error($app->errstr() || $app->translate("Couldn't save the session")); Index: /branches/release-38/lib/MT/App.pm =================================================================== --- /branches/release-38/lib/MT/App.pm (revision 2322) +++ /branches/release-38/lib/MT/App.pm (revision 2365) @@ -12,5 +12,6 @@ use File::Spec; use MT::Request; -use MT::Util qw( encode_html offset_time_list decode_html encode_url is_valid_email is_url ); +use MT::Util qw( encode_html offset_time_list decode_html encode_url + is_valid_email is_url escape_unicode ); use MT::I18N qw( encode_text wrap_text ); @@ -1017,5 +1018,30 @@ sub make_commenter_session { my $app = shift; - my ($session_key, $email, $name, $nick, $id, $url, $timeout, $blog_id) = @_; + my ($session_key, $email, $name, $nick, $id, $url) = @_; + my $user; + + # support for old signature; new signature is $session_key, $user_obj + if ( ref($session_key) && $session_key->isa('MT::Author') ) { + $user = $session_key; + $session_key = $app->make_magic_token; + $email = $user->email; + $name = $user->name; + $nick = $user->nickname || $app->translate('(Display Name not set)'); + $id = $user->id; + $url = $user->url; + } + # test + $session_key = $app->param('sig') if $user->auth_type eq 'TypeKey'; + + require MT::Session; + my $sess_obj = MT::Session->new(); + $sess_obj->id($session_key); + $sess_obj->email($email); + $sess_obj->name($name); + $sess_obj->start(time); + $sess_obj->kind("SI"); + $sess_obj->set('author_id', $user->id) if $user; + $sess_obj->save() + or return $app->error($app->translate("The login could not be confirmed because of a database error ([_1])", $sess_obj->errstr)); my $enc = $app->charset; @@ -1023,5 +1049,11 @@ my $nick_escaped = MT::Util::escape_unicode( $nick ); - $timeout = '+' . $app->config->CommentSessionTimeout . 's' unless defined $timeout; + my $timeout; + if ( $user->auth_type eq 'MT' ) { + $timeout = '+' . $app->config->UserSessionTimeout . 's'; + } else { + $timeout = '+' . $app->config->CommentSessionTimeout . 's'; + } + my %kookee = (-name => COMMENTER_COOKIE_NAME(), -value => $session_key, @@ -1034,36 +1066,5 @@ ($timeout ? (-expires => $timeout) : ())); $app->bake_cookie(%name_kookee); - if (defined $id) { - my $banned = 0; - my $perm = MT::Permission->load({ blog_id => $blog_id, author_id => $id }); - if ($perm) { - if (!$perm->can_administer_blog && $perm->is_restricted('comment')) { - $banned = 1; - } - } - - # my %id_kookee = (-name => "commenter_id", - # -value => $id . ':' . $blog_ids, - # -path => '/', - # ($timeout ? (-expires => $timeout) : ())); - # $app->bake_cookie(%id_kookee); - } - # if (defined($url) && $url) { - # my %id_kookee = (-name => "commenter_url", - # -value => $url, - # -path => '/', - # ($timeout ? (-expires => $timeout) : ())); - # $app->bake_cookie(%id_kookee); - # } - - require MT::Session; - my $sess_obj = MT::Session->new(); - $sess_obj->id($session_key); - $sess_obj->email($email); - $sess_obj->name($name); - $sess_obj->start(time); - $sess_obj->kind("SI"); - $sess_obj->save() - or return $app->error($app->translate("The login could not be confirmed because of a database error ([_1])", $sess_obj->errstr)); + return $session_key; } @@ -1084,26 +1085,14 @@ # need to clear commenter_name for writeCommenterGreeting - my $timeout = $app->config->CommentSessionTimeout; my %name_kookee = (-name => 'commenter_name', -value => '', -path => '/', - -expires => "+${timeout}s"); + -expires => "Thu, 01-Jan-70 00:00:01 GMT"); $app->bake_cookie(%name_kookee); - - # my %kookee = (-name => COMMENTER_COOKIE_NAME(), - # -value => '', - # -path => '/', - # -expires => "+${timeout}s"); - # $app->bake_cookie(%kookee); - # my %url_kookee = (-name => 'commenter_url', - # -value => '', - # -path => '/', - # -expires => "+${timeout}s"); - # $app->bake_cookie(%url_kookee); - # my %id_kookee = (-name => 'commenter_id', - # -value => '', - # -path => '/', - # -expires => "+${timeout}s"); - # $app->bake_cookie(%id_kookee); + my %kookee = (-name => COMMENTER_COOKIE_NAME(), + -value => '', + -path => '/', + -expires => "Thu, 01-Jan-70 00:00:01 GMT"); + $app->bake_cookie(%kookee); } @@ -1449,13 +1438,5 @@ # Presence of 'password' indicates this is a login request; # do session/cookie management. - $app->make_commenter_session( - $app->make_magic_token, - $author->email, - $author->name, - ($author->nickname || $app->translate('(Display Name not set)')), - $author->id, - undef, - $ctx->{permanent} ? '+10y' : 0 - ); + $app->make_commenter_session($author); if ($commenter_blog_id) { Index: /branches/release-38/lib/MT/App/Comments.pm =================================================================== --- /branches/release-38/lib/MT/App/Comments.pm (revision 2350) +++ /branches/release-38/lib/MT/App/Comments.pm (revision 2365) @@ -130,24 +130,22 @@ my $cfg = $app->config; require MT::Session; - my $sess_obj = MT::Session->load( { id => $session_key } ); + my $sess_obj = MT::Session->load( { id => $session_key, kind => 'SI' } ); my $timeout = $cfg->CommentSessionTimeout; - my $user; - - if ( $sess_obj - && ( $user = MT::Author->load( { name => $sess_obj->name } ) ) ) - { - return ( $session_key, $user ) if $user->type eq MT::Author::AUTHOR(); - } + my $user_id = $sess_obj->get('author_id') if $sess_obj; + my $user = MT::Author->load( $user_id ) if $user_id; + if ( !$sess_obj || ( $sess_obj->start() + $timeout < time ) + || ( !$user_id ) + || ( !$user ) ) { + $app->log("session is invalid; sess_obj = $sess_obj; key = $session_key; user_id = $user_id; user = $user"); $app->_invalidate_commenter_session( \%cookies ); return ( undef, undef ); } - else { - # session is valid! - return ( $session_key, $user ); - } + + # session is valid! + return ( $session_key, $user ); } @@ -298,8 +296,5 @@ MT::Auth->new_login( $app, $commenter ); if ( $app->_check_commenter_author( $commenter, $blog_id ) ) { - $app->make_commenter_session( $app->make_magic_token, - $commenter->email, $commenter->name, - ($commenter->nickname || $app->translate('(Display Name not set)')), - $commenter->id, undef, $ctx->{permanent} ? '+10y' : 0, $blog_id ); + $app->make_commenter_session( $commenter ); return $app->redirect_to_target; } @@ -706,4 +701,11 @@ return 0; # Put a collar on that puppy. } + + return 1 unless $cfg->ShowIPInformation; + + # If IP banning is enabled, check for lots of comments from + # the user's IP within the throttle period * 10; if they + # exceed 8 comments within that period, ban the IP. + @ts = MT::Util::offset_time_list( time - $throttle_period * 10 - 1, $entry->blog_id ); @@ -1108,5 +1110,5 @@ my $session_key = $cookies{$cookie_name}->value() || ""; $session_key =~ y/+/ /; - my $sessobj = MT::Session->load($session_key); + my $sessobj = MT::Session->load({ id => $session_key, kind => 'SI' }); return if @@ -1344,5 +1346,5 @@ ); foreach (@old_sessions) { - $_->remove() || die "couldn't remove sessions because " . $_->errstr(); + $_->remove(); } } @@ -1439,4 +1441,5 @@ if ( $blog_id && $blog ) { my ( $session, $commenter ) = $app->_get_commenter_session(); +use Data::Dumper; if ( $session && $commenter ) { my $blog_perms = $commenter->blog_perm($blog_id); @@ -1445,10 +1448,10 @@ $banned ||= 1 if $commenter->status == MT::Author::BANNED(); - my $sessobj = MT::Session->load($session); + my $sessobj = MT::Session->load({ id => $session, kind => 'SI' }); if ($banned) { $sessobj->remove; } else { $sessobj->start( time + - $app->config->CommentSessionTimeout); # extend by timeou + $app->config->CommentSessionTimeout); # extend by timeout $sessobj->save(); } @@ -1821,8 +1824,5 @@ } if ($renew_session) { - $app->make_commenter_session( $app->make_magic_token, $cmntr->email, - $cmntr->name, - ($cmntr->nickname || $app->translate('(Display Name not set)')), - $cmntr->id ); + $app->make_commenter_session( $cmntr ); } Index: /branches/release-38/lib/MT/Comment.pm =================================================================== --- /branches/release-38/lib/MT/Comment.pm (revision 2057) +++ /branches/release-38/lib/MT/Comment.pm (revision 2365) @@ -33,5 +33,4 @@ }, indexes => { - ip => 1, created_on => 1, entry_visible => { @@ -42,4 +41,8 @@ parent_id => 1, last_moved_on => 1, # used for junk expiration + # For comment throttle check + blog_ip_date => { + columns => [ 'blog_id', 'ip', 'created_on' ], + }, # For URL lookups to aid spam filtering blog_url => {