diff --git a/include/class.auth.php b/include/class.auth.php
index f38ddd01536672f49aa8fcdd01cbe9c2c606b9c7..6eb72cba2b9fb103618cb760157dd4fadd16b2a3 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -605,15 +605,8 @@ abstract class UserAuthenticationBackend extends AuthenticationBackend {
throw new AccessDenied('Account is administratively locked');
}
- //Tag the authkey.
- $authkey = $bk::$id.':'.$authkey;
-
- //Set the session goodies
- $authsession = &$_SESSION['_auth']['user'];
-
- $authsession = array(); //clear.
- $authsession['id'] = $user->getId();
- $authsession['key'] = $authkey;
+ // Tag the user and associated ticket in the SESSION
+ $this->setAuthKey($user, $bk, $authkey);
//The backend used decides the format of the auth key.
// XXX: encrypt to hide the bk??
@@ -637,6 +630,20 @@ abstract class UserAuthenticationBackend extends AuthenticationBackend {
return true;
}
+ function setAuthKey($user, $bk, $key=false) {
+ $authkey = $key ?: $bk->getAuthKey($user);
+
+ //Tag the authkey.
+ $authkey = $bk::$id.':'.$authkey;
+
+ //Set the session goodies
+ $authsession = &$_SESSION['_auth']['user'];
+
+ $authsession = array(); //clear.
+ $authsession['id'] = $user->getId();
+ $authsession['key'] = $authkey;
+ }
+
function authenticate($username, $password) {
return false;
}
diff --git a/view.php b/view.php
index 2299043b0047d4007b3e535b898035b0935e8da5..0a38c149ac85486fcaebe1de1cfa2a95778ab5c8 100644
--- a/view.php
+++ b/view.php
@@ -23,6 +23,11 @@ if ($_GET['auth']
&& ($u = TicketUser::lookupByToken($_GET['auth']))
&& ($u->getUserId() == $thisclient->getId())
) {
+ // Switch auth keys ? (Otherwise the user can never use links for two
+ // different tickets)
+ if (($bk = $thisclient->getAuthBackend()) instanceof AuthTokenAuthentication) {
+ $bk->setAuthKey($u, $bk);
+ }
Http::redirect('tickets.php?id='.$u->getTicketId());
}
// Try autologin the user