Cms: Preventing authentication via AuthenticateUserEvent::performAuthentication not possible
Description
I'm hooking into User::EVENT_BEFORE_AUTHENTICATE in order to perform my own, additional authorization checks. The docs say:
You may set craft\events\AuthenticateUserEvent::$performAuthentication to false to prevent the user from getting authenticated
Setting performAuthentication to false has no effect though.
I believe this is due to $this->authError never being set to any value in the authenticate() function when $event->performAuthenticationis true, since most of the function is skipped in that case.
Since $this->authError is equal to null (has never been touched), the function always returns true and authorization continues as normal.
Steps to reproduce
- Hook into
User::EVENT_BEFORE_AUTHENTICATE - Set
$event->performAuthenticationtofalse - Authorization continues anyway
Additional info
- Craft version: Craft Pro 3.5.12.1
- PHP version: 7.4.11
- Database driver & version: MySQL 5.5.5
- Plugins & versions: n/a
fThues
All 5 comments
Nevermind, turns out I totally misunderstood the purpose of performAuthentication: When it's set to false, the authentication process is skipped completely (meaning the user will _always_ be authenticated).
fThues
on 14 Oct 2020
Hm… yeah this is a bit confusing. I’ve updated the event docs to clarify. To prevent the user from getting logged-in, you must set $authError on the user to something.
$event->performAuthentication = false;
// ...
if (!$authenticates) {
$event->sender->authError = 'The auth error message';
}
brandonkelly
on 14 Oct 2020
Amazing, thanks! I believe this also resolves #6501.
fThues
on 14 Oct 2020
Ah, yep, thanks for pointing that out!
brandonkelly
on 14 Oct 2020
Updated now: https://docs.craftcms.com/api/v3/craft-elements-user.html#event-before-authenticate
brandonkelly
on 15 Oct 2020
Related issues
mccombs
·
3Comments
leigeber
·
3Comments
angrybrad
·
3Comments
mattstein
·
3Comments
rynpsc
·
3Comments