diff options
Diffstat (limited to 'modules/user/helpers/user.php')
| -rw-r--r-- | modules/user/helpers/user.php | 67 |
1 files changed, 57 insertions, 10 deletions
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index e522f016..aec058d6 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -25,19 +25,66 @@ * */ class user { + /** - * Function to determine if the user has logged in. - * @param $user(optional) Defaults to null, if specified will compare against the user in the - * session. - * @returns boolean true if logged in + * Is the password provided correct? + * + * @param user User Model + * @param string $password a plaintext password + * @return boolean true if the password is correct */ - public static function is_logged_in($user=null) { - $session_user = Session::instance()->get("user", null); - $logged_in = false; - if (!empty($session_user)) { - $logged_in = !empty($user) && $session_user === $user; + public static function is_correct_password($user, $password) { + $valid = $user->password; + + $salt = substr($valid, 0, 4); + /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */ + $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); + if (!strcmp($guess, $valid)) { + return true; + } + + /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */ + $sanitizedPassword = html::specialchars($password, false); + $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) + : ($salt . md5($salt . $sanitizedPassword)); + if (!strcmp($guess, $valid)) { + return true; } - return $logged_in; + /* Also support hashes generated by phpass for interoperability with other applications */ + if (strlen($valid) == 34) { + $hashGenerator = new PasswordHash(10, true); + return $hashGenerator->CheckPassword($password, $valid); + } + + return false; + } + + /** + * Create the hashed passwords. + * @param string $password a plaintext password + * @return string hashed password + */ + public static function hash_password($password) { + return user::_md5Salt($password); + } + + /** + * Create a hashed password using md5 plus salt. + * @param string $password plaintext password + * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted) + * @return string hashed password + */ + private static function _md5Salt($password, $salt='') { + if (empty($salt)) { + for ($i = 0; $i < 4; $i++) { + $char = mt_rand(48, 109); + $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0; + $salt .= chr($char); + } + } else { + $salt = substr($salt, 0, 4); + } + return $salt . md5($salt . $password); } }
\ No newline at end of file |