summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth
diff options
context:
space:
mode:
authorkiko%async.com.br <>2003-12-07 11:11:00 +0100
committerkiko%async.com.br <>2003-12-07 11:11:00 +0100
commitce24d01076ccec6e0e0f30d30d4b726fbf0452c4 (patch)
tree302b1a4998f8c5268e43e770601a2af1d24502b5 /Bugzilla/Auth
parentb3612adaf807df9743c8003faee62071f680f92f (diff)
downloadbugzilla-ce24d01076ccec6e0e0f30d30d4b726fbf0452c4.tar.gz
bugzilla-ce24d01076ccec6e0e0f30d30d4b726fbf0452c4.tar.xz
Fix for bug 226982: Move password change code into Bugzilla::Auth (part
1). Factored code out from Bugzilla::Auth::DB->authenticate() into separate methods so we can use them externally. Add extra API to DB.pm, which is currently used only internally (pending part 2). r=bbaetz, a=justdave
Diffstat (limited to 'Bugzilla/Auth')
-rw-r--r--Bugzilla/Auth/DB.pm78
1 files changed, 50 insertions, 28 deletions
diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/DB.pm
index 29fbc6fa4..34ec9983c 100644
--- a/Bugzilla/Auth/DB.pm
+++ b/Bugzilla/Auth/DB.pm
@@ -39,50 +39,72 @@ sub authenticate {
return (AUTH_NODATA) unless defined $username && defined $passwd;
- my $dbh = Bugzilla->dbh;
-
- # We're just testing against the db, so any value is ok
+ # We're just testing against the db: any value is ok
trick_taint($username);
- # Retrieve the user's ID and crypted password from the database.
- my $sth = $dbh->prepare_cached("SELECT userid,cryptpassword,disabledtext " .
- "FROM profiles " .
- "WHERE login_name=?");
- my ($userid, $realcryptpwd, $disabledtext) =
- $dbh->selectrow_array($sth,
- undef,
- $username);
-
- # If the user doesn't exist, return now
+ my $userid = $class->get_id_from_username($username);
return (AUTH_LOGINFAILED) unless defined $userid;
- # OK, now authenticate the user
-
- # Get the salt from the user's crypted password.
- my $salt = $realcryptpwd;
-
- # Using the salt, crypt the password the user entered.
- my $enteredCryptedPassword = crypt($passwd, $salt);
+ return (AUTH_LOGINFAILED, $userid)
+ unless $class->check_password($userid, $passwd);
- # Make sure the passwords match or return an error
- return (AUTH_LOGINFAILED, $userid) unless
- ($enteredCryptedPassword eq $realcryptpwd);
-
- # Now we know that the user has logged in successfully,
- # so delete any password tokens for them
+ # The user's credentials are okay, so delete any outstanding
+ # password tokens they may have generated.
require Token;
Token::DeletePasswordTokens($userid, "user_logged_in");
- # The user may have had their account disabled
+ # Account may have been disabled
+ my $disabledtext = $class->get_disabled($userid);
return (AUTH_DISABLED, $userid, $disabledtext)
if $disabledtext ne '';
- # If we get to here, then the user is allowed to login, so we're done!
return (AUTH_OK, $userid);
}
sub can_edit { return 1; }
+sub get_id_from_username {
+ my ($class, $username) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
+ "WHERE login_name=?");
+ my ($userid) = $dbh->selectrow_array($sth, undef, $username);
+ return $userid;
+}
+
+sub get_disabled {
+ my ($class, $userid) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
+ "WHERE userid=?");
+ my ($text) = $dbh->selectrow_array($sth, undef, $userid);
+ return $text;
+}
+
+sub check_password {
+ my ($class, $userid, $passwd) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
+ "WHERE userid=?");
+ my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
+
+ # Get the salt from the user's crypted password.
+ my $salt = $realcryptpwd;
+
+ # Using the salt, crypt the password the user entered.
+ my $enteredCryptedPassword = crypt($passwd, $salt);
+
+ return $enteredCryptedPassword eq $realcryptpwd;
+}
+
+sub change_password {
+ my ($class, $userid, $password) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $cryptpassword = Crypt($password);
+ $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
+ undef, $cryptpassword, $userid);
+}
+
1;
__END__