From ce24d01076ccec6e0e0f30d30d4b726fbf0452c4 Mon Sep 17 00:00:00 2001 From: "kiko%async.com.br" <> Date: Sun, 7 Dec 2003 10:11:00 +0000 Subject: Fix for bug 226982: Move password change code into Bugzilla::Auth (part 1). Factored code out from Bugzilla::Auth::DB->authenticate() into separate methods so we can use them externally. Add extra API to DB.pm, which is currently used only internally (pending part 2). r=bbaetz, a=justdave --- Bugzilla/Auth/DB.pm | 78 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 28 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/DB.pm index 29fbc6fa4..34ec9983c 100644 --- a/Bugzilla/Auth/DB.pm +++ b/Bugzilla/Auth/DB.pm @@ -39,50 +39,72 @@ sub authenticate { return (AUTH_NODATA) unless defined $username && defined $passwd; - my $dbh = Bugzilla->dbh; - - # We're just testing against the db, so any value is ok + # We're just testing against the db: any value is ok trick_taint($username); - # Retrieve the user's ID and crypted password from the database. - my $sth = $dbh->prepare_cached("SELECT userid,cryptpassword,disabledtext " . - "FROM profiles " . - "WHERE login_name=?"); - my ($userid, $realcryptpwd, $disabledtext) = - $dbh->selectrow_array($sth, - undef, - $username); - - # If the user doesn't exist, return now + my $userid = $class->get_id_from_username($username); return (AUTH_LOGINFAILED) unless defined $userid; - # OK, now authenticate the user - - # Get the salt from the user's crypted password. - my $salt = $realcryptpwd; - - # Using the salt, crypt the password the user entered. - my $enteredCryptedPassword = crypt($passwd, $salt); + return (AUTH_LOGINFAILED, $userid) + unless $class->check_password($userid, $passwd); - # Make sure the passwords match or return an error - return (AUTH_LOGINFAILED, $userid) unless - ($enteredCryptedPassword eq $realcryptpwd); - - # Now we know that the user has logged in successfully, - # so delete any password tokens for them + # The user's credentials are okay, so delete any outstanding + # password tokens they may have generated. require Token; Token::DeletePasswordTokens($userid, "user_logged_in"); - # The user may have had their account disabled + # Account may have been disabled + my $disabledtext = $class->get_disabled($userid); return (AUTH_DISABLED, $userid, $disabledtext) if $disabledtext ne ''; - # If we get to here, then the user is allowed to login, so we're done! return (AUTH_OK, $userid); } sub can_edit { return 1; } +sub get_id_from_username { + my ($class, $username) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " . + "WHERE login_name=?"); + my ($userid) = $dbh->selectrow_array($sth, undef, $username); + return $userid; +} + +sub get_disabled { + my ($class, $userid) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " . + "WHERE userid=?"); + my ($text) = $dbh->selectrow_array($sth, undef, $userid); + return $text; +} + +sub check_password { + my ($class, $userid, $passwd) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " . + "WHERE userid=?"); + my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid); + + # Get the salt from the user's crypted password. + my $salt = $realcryptpwd; + + # Using the salt, crypt the password the user entered. + my $enteredCryptedPassword = crypt($passwd, $salt); + + return $enteredCryptedPassword eq $realcryptpwd; +} + +sub change_password { + my ($class, $userid, $password) = @_; + my $dbh = Bugzilla->dbh; + my $cryptpassword = Crypt($password); + $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", + undef, $cryptpassword, $userid); +} + 1; __END__ -- cgit v1.2.3-24-g4f1b