Skip to content

bugzilla
bugzilla
Commit ce24d010 authored by kiko%async.com.br's avatar kiko%async.com.br
Browse files
Options

Fix for bug 226982: Move password change code into Bugzilla::Auth (part

1). Factored code out from Bugzilla::Auth::DB->authenticate() into separate methods so we can use them externally. Add extra API to DB.pm, which is currently used only internally (pending part 2). r=bbaetz, a=justdave
parent b3612ada
Hide whitespace changes
Inline Side-by-side
Showing with 50 additions and 28 deletions
Bugzilla/Auth/DB.pm
View file @ ce24d010
...@@ -39,50 +39,72 @@ sub authenticate { ...@@ -39,50 +39,72 @@ sub authenticate {
return (AUTH_NODATA) unless defined $username && defined $passwd; return (AUTH_NODATA) unless defined $username && defined $passwd;
my $dbh = Bugzilla->dbh; # We're just testing against the db: any value is ok
# We're just testing against the db, so any value is ok
trick_taint($username); trick_taint($username);
# Retrieve the user's ID and crypted password from the database. my $userid = $class->get_id_from_username($username);
my $sth = $dbh->prepare_cached("SELECT userid,cryptpassword,disabledtext " .
"FROM profiles " .
"WHERE login_name=?");
my ($userid, $realcryptpwd, $disabledtext) =
$dbh->selectrow_array($sth,
undef,
$username);
# If the user doesn't exist, return now
return (AUTH_LOGINFAILED) unless defined $userid; return (AUTH_LOGINFAILED) unless defined $userid;
# OK, now authenticate the user return (AUTH_LOGINFAILED, $userid)
unless $class->check_password($userid, $passwd);
# Get the salt from the user's crypted password.
my $salt = $realcryptpwd;
# Using the salt, crypt the password the user entered.
my $enteredCryptedPassword = crypt($passwd, $salt);
# Make sure the passwords match or return an error # The user's credentials are okay, so delete any outstanding
return (AUTH_LOGINFAILED, $userid) unless # password tokens they may have generated.
($enteredCryptedPassword eq $realcryptpwd);
# Now we know that the user has logged in successfully,
# so delete any password tokens for them
require Token; require Token;
Token::DeletePasswordTokens($userid, "user_logged_in"); Token::DeletePasswordTokens($userid, "user_logged_in");
# The user may have had their account disabled # Account may have been disabled
my $disabledtext = $class->get_disabled($userid);
return (AUTH_DISABLED, $userid, $disabledtext) return (AUTH_DISABLED, $userid, $disabledtext)
if $disabledtext ne ''; if $disabledtext ne '';
# If we get to here, then the user is allowed to login, so we're done!
return (AUTH_OK, $userid); return (AUTH_OK, $userid);
} }
sub can_edit { return 1; } sub can_edit { return 1; }
sub get_id_from_username {
my ($class, $username) = @_;
my $dbh = Bugzilla->dbh;
my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
"WHERE login_name=?");
my ($userid) = $dbh->selectrow_array($sth, undef, $username);
return $userid;
}
sub get_disabled {
my ($class, $userid) = @_;
my $dbh = Bugzilla->dbh;
my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
"WHERE userid=?");
my ($text) = $dbh->selectrow_array($sth, undef, $userid);
return $text;
}
sub check_password {
my ($class, $userid, $passwd) = @_;
my $dbh = Bugzilla->dbh;
my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
"WHERE userid=?");
my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
# Get the salt from the user's crypted password.
my $salt = $realcryptpwd;
# Using the salt, crypt the password the user entered.
my $enteredCryptedPassword = crypt($passwd, $salt);
return $enteredCryptedPassword eq $realcryptpwd;
}
sub change_password {
my ($class, $userid, $password) = @_;
my $dbh = Bugzilla->dbh;
my $cryptpassword = Crypt($password);
$dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
undef, $cryptpassword, $userid);
}
1; 1;
__END__ __END__
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment