ZF-12276: OpenID Sreg extension:: parseRequest overwrites provided credentials when used in the provider context

Issue Type: Bug Created: 2012-06-11T18:25:36.000+0000 Last Updated: 2012-06-11T18:25:36.000+0000 Status: Open Fix version(s): Reporter: Alan B. Dee (alanbdee) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId

Related issues: Attachments:


It appears that when providing the requested credentials to sreg extension in the provider context it overrides those credentials with booleans. Provider example: //... pull user info $user_params = array( 'nickname' => $user->getNickName(), 'fullname' => $user->getFullName(), 'email' => $user->getEmail() ); $sreg = new iChain_OpenId_Sreg($user_params); $ret = $provider->handle(null, $sreg); Consumer example: $props = array( "nickname"=>false, "email"=>true, "fullname"=>true, );
$sreg = new iChain_OpenId_Sreg($props, null, 2.0); $consumer = new Zend_OpenId_Consumer(); if($consumer->verify($_GET, $id, $sreg)){ // $_GET[openid_sreg_email] => 1 // $_GET[openid_sreg_fullname] => 1 }

The problem appears to be in Zend_OpenId_Extensions_Sreg::parseRequest. The unit tests only test the provided version number and policy url. When used in the consumer context it populates the $_props with a key/value array of attributes and booleans (if those are required). When using it in the provider context that same property is used to hold the actual values the provider should be sending. Instead it sends those booleans back.

A simple solution is to remove the following line from Zend_OpenId_Extensions_Sreg::parseRequest: $this->_props = (count($props2) > 0) ? $props2 : null; However it was put there for a reason and I am unsure why. I'm guessing to provide backwards compatibility with sreg 1.0 when used in the consumer context.


No comments to display

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.