diff options
| -rw-r--r-- | modules/user/controllers/login.php | 4 | ||||
| -rw-r--r-- | modules/user/helpers/user.php | 67 | ||||
| -rw-r--r-- | modules/user/helpers/user_installer.php | 2 | ||||
| -rw-r--r-- | modules/user/helpers/user_password.php | 83 | ||||
| -rw-r--r-- | modules/user/models/user.php | 2 | ||||
| -rw-r--r-- | modules/user/tests/User_Installer_Test.php | 2 | ||||
| -rw-r--r-- | themes/default/views/header.html.php | 8 |
7 files changed, 66 insertions, 102 deletions
diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php index 25e2abea..e6f10ec8 100644 --- a/modules/user/controllers/login.php +++ b/modules/user/controllers/login.php @@ -25,11 +25,11 @@ class Login_Controller extends Controller { if ($form->validate()) { // Load the user - $user = ORM::factory("user")->where("display_name", $form->username->value)->find(); + $user = ORM::factory("user")->where("name", $form->username->value)->find(); if (!$user->loaded) { $form->error_message = "Invalid username or password"; } else { - if (user_password::is_correct_password($user,$form->password->value)) { + if (user::is_correct_password($user,$form->password->value)) { user::login($user); url::redirect("user/success.html"); } else { diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index e522f016..aec058d6 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -25,19 +25,66 @@ * */ class user { + /** - * Function to determine if the user has logged in. - * @param $user(optional) Defaults to null, if specified will compare against the user in the - * session. - * @returns boolean true if logged in + * Is the password provided correct? + * + * @param user User Model + * @param string $password a plaintext password + * @return boolean true if the password is correct */ - public static function is_logged_in($user=null) { - $session_user = Session::instance()->get("user", null); - $logged_in = false; - if (!empty($session_user)) { - $logged_in = !empty($user) && $session_user === $user; + public static function is_correct_password($user, $password) { + $valid = $user->password; + + $salt = substr($valid, 0, 4); + /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */ + $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); + if (!strcmp($guess, $valid)) { + return true; + } + + /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */ + $sanitizedPassword = html::specialchars($password, false); + $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) + : ($salt . md5($salt . $sanitizedPassword)); + if (!strcmp($guess, $valid)) { + return true; } - return $logged_in; + /* Also support hashes generated by phpass for interoperability with other applications */ + if (strlen($valid) == 34) { + $hashGenerator = new PasswordHash(10, true); + return $hashGenerator->CheckPassword($password, $valid); + } + + return false; + } + + /** + * Create the hashed passwords. + * @param string $password a plaintext password + * @return string hashed password + */ + public static function hash_password($password) { + return user::_md5Salt($password); + } + + /** + * Create a hashed password using md5 plus salt. + * @param string $password plaintext password + * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted) + * @return string hashed password + */ + private static function _md5Salt($password, $salt='') { + if (empty($salt)) { + for ($i = 0; $i < 4; $i++) { + $char = mt_rand(48, 109); + $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0; + $salt .= chr($char); + } + } else { + $salt = substr($salt, 0, 4); + } + return $salt . md5($salt . $password); } }
\ No newline at end of file diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php index 391915a3..77d10899 100644 --- a/modules/user/helpers/user_installer.php +++ b/modules/user/helpers/user_installer.php @@ -65,7 +65,7 @@ class user_installer { $user_module->version = 1; $user_module->save(); - $user = ORM::factory("user")->where("display_name", "admin")->find(); + $user = ORM::factory("user")->where("name", "admin")->find(); $user->name = "admin"; $user->display_name = "Gallery Administrator"; $user->password = "admin"; diff --git a/modules/user/helpers/user_password.php b/modules/user/helpers/user_password.php deleted file mode 100644 index 45de5bef..00000000 --- a/modules/user/helpers/user_password.php +++ /dev/null @@ -1,83 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2008 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -class user_password { - - /** - * Is the password provided correct? - * - * @param user User Model - * @param string $password a plaintext password - * @return boolean true if the password is correct - */ - public static function is_correct_password($user, $password) { - $valid = $user->password; - - $salt = substr($valid, 0, 4); - /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */ - $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); - if (!strcmp($guess, $valid)) { - return true; - } - - /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */ - $sanitizedPassword = html::specialchars($password, false); - $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) - : ($salt . md5($salt . $sanitizedPassword)); - if (!strcmp($guess, $valid)) { - return true; - } - - /* Also support hashes generated by phpass for interoperability with other applications */ - if (strlen($valid) == 34) { - $hashGenerator = new PasswordHash(10, true); - return $hashGenerator->CheckPassword($password, $valid); - } - - return false; - } - - /** - * Create the hashed passwords. - * @param string $password a plaintext password - * @return string hashed password - */ - public static function hash_password($password) { - return user_password::_md5Salt($password); - } - - /** - * Create a hashed password using md5 plus salt. - * @param string $password plaintext password - * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted) - * @return string hashed password - */ - private static function _md5Salt($password, $salt='') { - if (empty($salt)) { - for ($i = 0; $i < 4; $i++) { - $char = mt_rand(48, 109); - $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0; - $salt .= chr($char); - } - } else { - $salt = substr($salt, 0, 4); - } - return $salt . md5($salt . $password); - } -} diff --git a/modules/user/models/user.php b/modules/user/models/user.php index d02d0ae0..feab3f42 100644 --- a/modules/user/models/user.php +++ b/modules/user/models/user.php @@ -23,7 +23,7 @@ class User_Model extends ORM { public function __set($column, $value) { switch ($column) { case "password": - $value = user_password::hash_password($value); + $value = user::hash_password($value); break; } parent::__set($column, $value); diff --git a/modules/user/tests/User_Installer_Test.php b/modules/user/tests/User_Installer_Test.php index 4ececd98..c7b6afbe 100644 --- a/modules/user/tests/User_Installer_Test.php +++ b/modules/user/tests/User_Installer_Test.php @@ -27,7 +27,7 @@ class User_Installer_Test extends Unit_Test_Case { $user = ORM::factory("user", 1); $this->assert_equal("Gallery Administrator", $user->display_name); $this->assert_equal("admin", $user->name); - $this->assert_true(user_password::is_correct_password($user, "admin")); + $this->assert_true(user::is_correct_password($user, "admin")); $this->assert_equal( array("administrator", "registered"), diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php index 8ebc1295..c09c11ef 100644 --- a/themes/default/views/header.html.php +++ b/themes/default/views/header.html.php @@ -3,7 +3,10 @@ <h1><?= $item->title_edit ?></h1> <div id="gLoginMenu"> - <? if (!user::is_logged_in($user)): ?> + <? if ($user): ?> + <a href="<?= url::site("user/update")?>"><?= _("Modify Profile") ?></a> | + <a href="<?= url::site("logout")?>"><?= _("Logout") ?></a> + <? else: ?> <a href="#"><?=_("Recover password") ?></a> | <a href="<?= url::site("user/register")?>"><?= _("Register") ?></a> | <span id="gLoginLink"> @@ -12,9 +15,6 @@ <span id="gLoginClose" class="gDisplayNone"> <?= _("Login") ?> | <a href="javascript:close_login()">X</a> </span> - <? else: ?> - <a href="<?= url::site("user/update")?>"><?= _("Modify Profile") ?></a> | - <a href="<?= url::site("logout")?>"><?= _("Logout") ?></a> <? endif; ?> <span id="gLoginForm" class="gDisplayNone" > <?= Login_Form::factory()->render() ?> |