id}?_method=put"), "", "post", array("id" => "gUserForm")); $group = $form->group(_("User Info")); $group->input("name") ->label(_("Name")) ->id("gName") ->value($user->name); $group->input("display_name") ->label(_("Display Name")) ->id("gDisplayName") ->value($user->display_name); $group->password("password") ->label(_("Password")) ->id("gPassword"); $group->input("email") ->label(_("Email")) ->id("gEmail") ->value($user->email); $group->submit(_("Modify")); $form->add_rules_from($user); return $form; } /** * Return the active user. If there's no active user, return the guest user. * * @return User_Model */ static function active() { return Session::instance()->get("user", self::guest()); } /** * Return the guest user. * * @todo consider caching * * @return User_Model */ static function guest() { return ORM::factory("user", 1); } /** * Change the active user. * * @return User_Model */ static function set_active($user) { return Session::instance()->set("user", $user); } /** * Create a new user. * * @param string $name * @param string $display_name * @param string $password * @return User_Model */ static function create($name, $display_name, $password) { $user = ORM::factory("user")->where("name", $name); if ($user->loaded) { throw new Exception("@todo USER_ALREADY_EXISTS $name"); } $user->name = $name; $user->display_name = $display_name; $user->password = $password; $user->save(); // Everybody user $group = ORM::factory("group", 1); $group->add($user); // Registered users $group = ORM::factory("group", 2); $group->add($user); module::event("user_created", $user); return $user; } /** * Is the password provided correct? * * @param user User Model * @param string $password a plaintext password * @return boolean true if the password is correct */ public static function is_correct_password($user, $password) { $valid = $user->password; $salt = substr($valid, 0, 4); /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */ $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); if (!strcmp($guess, $valid)) { return true; } /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */ $sanitizedPassword = html::specialchars($password, false); $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) : ($salt . md5($salt . $sanitizedPassword)); if (!strcmp($guess, $valid)) { return true; } /* Also support hashes generated by phpass for interoperability with other applications */ if (strlen($valid) == 34) { $hashGenerator = new PasswordHash(10, true); return $hashGenerator->CheckPassword($password, $valid); } return false; } /** * Create the hashed passwords. * @param string $password a plaintext password * @return string hashed password */ public static function hash_password($password) { return user::_md5Salt($password); } /** * Perform the post authentication processing * @param object $user the user object. */ public static function login($user) { $user->login_count += 1; $user->last_login = time(); $user->save(); user::set_active($user); module::event("user_login", $user); } /** * Create a hashed password using md5 plus salt. * @param string $password plaintext password * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted) * @return string hashed password */ private static function _md5Salt($password, $salt="") { if (empty($salt)) { for ($i = 0; $i < 4; $i++) { $char = mt_rand(48, 109); $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0; $salt .= chr($char); } } else { $salt = substr($salt, 0, 4); } return $salt . md5($salt . $password); } }