Fix for bug 226982: Move password change code into Bugzilla::Auth (part

1). Factored code out from Bugzilla::Auth::DB->authenticate() into
separate methods so we can use them externally. Add extra API to DB.pm,
which is currently used only internally (pending part 2). r=bbaetz, a=justdave

1 files changed, 50 insertions, 28 deletions

diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/DB.pm
index 29fbc6fa4..34ec9983c 100644
--- a/Bugzilla/Auth/DB.pm
+++ b/Bugzilla/Auth/DB.pm
@@ -39,50 +39,72 @@ sub authenticate {
 
     return (AUTH_NODATA) unless defined $username && defined $passwd;
 
-    my $dbh = Bugzilla->dbh;
-
-    # We're just testing against the db, so any value is ok
+    # We're just testing against the db: any value is ok
     trick_taint($username);
 
-    # Retrieve the user's ID and crypted password from the database.
-    my $sth = $dbh->prepare_cached("SELECT userid,cryptpassword,disabledtext " .
-                                   "FROM profiles " .
-                                   "WHERE login_name=?");
-    my ($userid, $realcryptpwd, $disabledtext) =
-      $dbh->selectrow_array($sth,
-                            undef,
-                            $username);
-
-    # If the user doesn't exist, return now
+    my $userid = $class->get_id_from_username($username);
     return (AUTH_LOGINFAILED) unless defined $userid;
 
-    # OK, now authenticate the user
-
-    # Get the salt from the user's crypted password.
-    my $salt = $realcryptpwd;
-
-    # Using the salt, crypt the password the user entered.
-    my $enteredCryptedPassword = crypt($passwd, $salt);
+    return (AUTH_LOGINFAILED, $userid) 
+        unless $class->check_password($userid, $passwd);
 
-    # Make sure the passwords match or return an error
-    return (AUTH_LOGINFAILED, $userid) unless
-      ($enteredCryptedPassword eq $realcryptpwd);
-
-    # Now we know that the user has logged in successfully,
-    # so delete any password tokens for them
+    # The user's credentials are okay, so delete any outstanding
+    # password tokens they may have generated.
     require Token;
     Token::DeletePasswordTokens($userid, "user_logged_in");
 
-    # The user may have had their account disabled
+    # Account may have been disabled
+    my $disabledtext = $class->get_disabled($userid);
     return (AUTH_DISABLED, $userid, $disabledtext)
       if $disabledtext ne '';
 
-    # If we get to here, then the user is allowed to login, so we're done!
     return (AUTH_OK, $userid);
 }
 
 sub can_edit { return 1; }
 
+sub get_id_from_username {
+    my ($class, $username) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
+                                   "WHERE login_name=?");
+    my ($userid) = $dbh->selectrow_array($sth, undef, $username);
+    return $userid;
+}
+
+sub get_disabled {
+    my ($class, $userid) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
+                                   "WHERE userid=?");
+    my ($text) = $dbh->selectrow_array($sth, undef, $userid);
+    return $text;
+}
+
+sub check_password {
+    my ($class, $userid, $passwd) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
+                                   "WHERE userid=?");
+    my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
+
+    # Get the salt from the user's crypted password.
+    my $salt = $realcryptpwd;
+
+    # Using the salt, crypt the password the user entered.
+    my $enteredCryptedPassword = crypt($passwd, $salt);
+
+    return $enteredCryptedPassword eq $realcryptpwd;
+}
+
+sub change_password {
+    my ($class, $userid, $password) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $cryptpassword = Crypt($password);
+    $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", 
+             undef, $cryptpassword, $userid);
+}
+
 1;
 
 __END__