X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2FLoginPage.java;h=d25eacfb43bc0036aa4a8ae7c6fe9070a980b55f;hp=91b6b1b7139383ce20c1d44d61e68b8e19a65406;hb=dc10b875c132eb7840a6b9827ec93916076d34f7;hpb=9136e3e03b6881b32aada896be3241e46cbd33d9

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index 91b6b1b7..d25eacfb 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -20,6 +20,7 @@ import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.util.AuthorizationContext;
 import org.cacert.gigi.util.PasswordHash;
 
 public class LoginPage extends Page {
@@ -114,7 +115,15 @@ public class LoginPage extends Page {
     }
 
     public static User getUser(HttpServletRequest req) {
-        return (User) req.getSession().getAttribute(USER);
+        AuthorizationContext ac = getAuthorizationContext(req);
+        if (ac == null) {
+            return null;
+        }
+        return ac.getActor();
+    }
+
+    public static AuthorizationContext getAuthorizationContext(HttpServletRequest req) {
+        return ((AuthorizationContext) req.getSession().getAttribute(AUTH_CONTEXT));
     }
 
     private void tryAuthWithCertificate(HttpServletRequest req, X509Certificate x509Certificate) {
@@ -134,12 +143,17 @@ public class LoginPage extends Page {
     }
 
     public static User fetchUserBySerial(String serial) {
+        if ( !serial.matches("[A-Fa-f0-9]+")) {
+            throw new Error("serial malformed.");
+        }
         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
-        ps.setString(1, serial);
+        ps.setString(1, serial.toLowerCase());
         GigiResultSet rs = ps.executeQuery();
         User user = null;
         if (rs.next()) {
             user = User.getById(rs.getInt(1));
+        } else {
+            System.out.println("User with serial " + serial + " not found.");
         }
         rs.close();
         return user;
@@ -164,7 +178,7 @@ public class LoginPage extends Page {
         HttpSession hs = req.getSession();
         hs.setAttribute(LOGGEDIN, true);
         hs.setAttribute(Language.SESSION_ATTRIB_NAME, user.getPreferredLocale());
-        hs.setAttribute(USER, user);
+        hs.setAttribute(AUTH_CONTEXT, new AuthorizationContext(user, user));
     }
 
     @Override