pear_auth.patch (32,592 bytes)
--- admin/install.php Mon Feb 19 23:05:04 2007
+++ admin/install.php Wed Jul 18 00:55:32 2007
@@ -8,8 +8,8 @@
# --------------------------------------------------------
# $Id: install.php,v 1.31 2007/02/20 06:05:03 vboctor Exp $
# --------------------------------------------------------
-?>
-<?php
+ $g_login_allowed = false;
+
error_reporting( E_ALL );
//@@@ put this somewhere
@@ -99,9 +99,12 @@
<td class="title">
<?php
switch ( $t_install_state ) {
- case 6:
- echo "Post Installation Checks";
- break;
+ case 7:
+ echo "Add administrator user";
+ break;
+ case 6:
+ echo "Post Installation Checks";
+ break;
case 5:
echo "Install Configuration File";
break;
@@ -687,8 +690,6 @@
</td>
</tr>
-<!-- Checking MD5 -->
-<?php print_test( 'Checking for MD5 Crypt() support', 1 === CRYPT_MD5, false, 'password security may be lower than expected' ) ?>
<!-- Checking register_globals are off -->
<?php print_test( 'Checking for register_globals are off for mantis', ! ini_get_bool( 'register_globals' ), false, 'change php.ini to disable register_globals setting' ) ?>
@@ -773,14 +774,63 @@
}
?>
</tr>
-</table>
<?php
if ( false == $g_failed ) {
$t_install_state++;
}
} # end install_state == 6
-if ( 7 == $t_install_state ) {
+if ( 7 == $t_install_state ) {
+?>
+<tr>
+ <td bgcolor="#ffffff">
+ Initializing 'administrator' user
+ </td>
+<?php
+ /*
+ "(username, realname, email, password, date_created, last_visit, enabled, protected, access_level, login_count, lost_password_request_count, failed_login_count, cookie_string) VALUES
+ ('administrator', '', 'root@localhost', '63a9f0ea7bb98050796b649e85481845', " . db_now() . ", " . db_now() . ", 1, 0, 90, 3, 0, 0, '" .
+ md5( mt_rand( 0, mt_getrandmax() ) + mt_rand( 0, mt_getrandmax() ) ) . md5( time() ) . "')" ) );
+ */
+ $pearauth = auth_api_initialize_auth_object();
+
+ $query = "DELETE FROM mantis_user_table
+ WHERE username='administrator';";
+ db_query( $query );
+
+ $t_result = user_create(
+ 'administrator', #user name
+ '', #passwprd
+ '', #email
+ 90, # access level
+ false, # protected
+ true, # enabled
+ ''); #real name
+
+ if ( $t_result != false ) {
+ print_test_result( GOOD );
+ } else {
+ print_test_result( BAD, true, 'could not create user through the user API' );
+ }
+ if($t_result != false)
+ {
+ $g_failed = false;
+ }
+ else
+ {
+ $g_failed = true;
+ }
+?>
+</tr>
+</table>
+<?php
+ if ( false == $g_failed ) {
+ $t_install_state++;
+ }
+} # end install_state == 7
+
+
+if ( 8 == $t_install_state ) {
# cleanup and launch upgrade
?>
<p>Install was successful.</p>
--- admin/schema.php Thu Mar 15 22:13:46 2007
+++ admin/schema.php Wed Jul 18 00:57:09 2007
@@ -309,10 +309,13 @@
$upgrade[] = Array('CreateIndexSQL',Array('idx_user_username',config_get('mantis_user_table'),'username',Array('UNIQUE')));
$upgrade[] = Array('CreateIndexSQL',Array('idx_enable',config_get('mantis_user_table'),'enabled'));
$upgrade[] = Array('CreateIndexSQL',Array('idx_access',config_get('mantis_user_table'),'access_level'));
-$upgrade[] = Array('InsertData', Array( config_get('mantis_user_table'),
+/* I had to remove this so that PEAR::Auth could hash the password */
+/*
+ $upgrade[] = Array('InsertData', Array( config_get('mantis_user_table'),
"(username, realname, email, password, date_created, last_visit, enabled, protected, access_level, login_count, lost_password_request_count, failed_login_count, cookie_string) VALUES
('administrator', '', 'root@localhost', '63a9f0ea7bb98050796b649e85481845', " . db_now() . ", " . db_now() . ", 1, 0, 90, 3, 0, 0, '" .
md5( mt_rand( 0, mt_getrandmax() ) + mt_rand( 0, mt_getrandmax() ) ) . md5( time() ) . "')" ) );
+*/
$upgrade[] = Array('AlterColumnSQL', Array( config_get( 'mantis_bug_history_table' ), "old_value C(255) NOTNULL" ) );
$upgrade[] = Array('AlterColumnSQL', Array( config_get( 'mantis_bug_history_table' ), "new_value C(255) NOTNULL" ) );
--- core/adodb/datadict/datadict-postgres.inc.php Sat Apr 22 04:35:06 2006
+++ core/adodb/datadict/datadict-postgres.inc.php Wed Jul 18 01:06:22 2007
@@ -103,7 +103,20 @@
case 'D': return 'DATE';
case 'T': return 'TIMESTAMP';
- case 'L': return 'BOOLEAN';
+ case 'L':
+ /*
+ #
+ # postgres 8.3 expected quotes
+ # around the val. the easiest way
+ # to work was to change to a
+ # numeric value. I had a very
+ # hard time trying to figure out
+ # how to supply quotes arround the
+ # value, so I went the other way
+ #
+ return 'BOOLEAN';
+ */
+ return 'SMALLINT';
case 'I': return 'INTEGER';
case 'I1': return 'SMALLINT';
case 'I2': return 'INT2';
--- core/authentication_api.php Sun Apr 23 05:33:00 2006
+++ core/authentication_api.php Wed Jul 18 02:00:02 2007
@@ -8,14 +8,67 @@
# --------------------------------------------------------
# $Id: authentication_api.php,v 1.55 2006/04/23 12:32:59 vboctor Exp $
# --------------------------------------------------------
-
+ require_once "Auth/Auth.php";
+ require_once "string_api.php";
+ require_once "print_api.php";
### Authentication API ###
-
- $g_script_login_cookie = null;
- $g_cache_anonymous_user_cookie_string = null;
- $g_cache_current_user_cookie_string = null;
- $g_cache_cookie_valid = null;
-
+
+ #
+ # this function is called when a->start(); decides that a login is needed
+ #
+ function pearauth_login_redirector( $username, $status, $auth) {
+ /* keep us from looping infinatly */
+ global $on_login_page;
+ if(isset($on_login_page))
+ {
+ if($on_login_page == true)
+ {
+ return;
+ }
+ }
+
+ if ( !php_version_at_least( '4.1.0' ) ) {
+ global $_SERVER;
+ }
+
+ $p_return_page = $auth->return_page;
+ if(is_blank($p_return_page)){
+ if (!isset($_SERVER['REQUEST_URI'])) {
+ $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
+ }
+ $p_return_page = $_SERVER['REQUEST_URI'];
+ }
+ $p_return_page = string_url( $p_return_page );
+ print_header_redirect( 'login_page.php?return=' . $p_return_page );
+ }
+
+ function auth_api_initialize_auth_object()
+ {
+ global $g_login_allowed;
+ global $g_db_type;
+ global $g_db_username;
+ global $g_db_password;
+ global $g_hostname;
+ global $g_database_name;
+
+
+ $pearauthDriver = "DB";
+ $pearAuthOptions = array(
+ 'dsn' => "$g_db_type://$g_db_username:$g_db_password@$g_hostname/$g_database_name",
+ 'table' => "mantis_user_table",
+ 'usernamecol' => "username",
+ 'passwordcol' => "password",
+ 'sessionName' => "mantis"
+ );
+
+ if(!isset($g_login_allowed)) $g_login_allowed=true;
+ $pearauth = new Auth($pearauthDriver, $pearAuthOptions, "pearauth_login_redirector",$g_login_allowed);
+ $pearauth->return_page ='';
+ return $pearauth;
+ }
+
+ $pearauth = auth_api_initialize_auth_object();
+ $pearauth->start();
#===================================
# Boolean queries and ensures
#===================================
@@ -38,26 +91,21 @@
if ( OFF == current_user_get_field( 'enabled' ) ) {
print_header_redirect( 'logout_page.php' );
}
- } else { # not logged in
- if ( is_blank( $p_return_page ) ) {
- if (!isset($_SERVER['REQUEST_URI'])) {
- $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
- }
- $p_return_page = $_SERVER['REQUEST_URI'];
- }
- $p_return_page = string_url( $p_return_page );
- print_header_redirect( 'login_page.php?return=' . $p_return_page );
- }
+ } else {
+ # not logged in
+ # old code had a redirect here.
+ # hmmmm.... is this legal?
+ $pearauth->return_page = $p_return_page;
+ $pearauth->start();
+ }
}
# --------------------
# Return true if there is a currently logged in and authenticated user,
# false otherwise
- function auth_is_user_authenticated() {
- global $g_cache_cookie_valid;
- if($g_cache_cookie_valid)
- return true;
- return ( auth_is_cookie_valid( auth_get_current_user_cookie() ) );
+ function auth_is_user_authenticated() {
+ global $pearauth;
+ return $pearauth->checkAuth();
}
@@ -72,123 +120,38 @@
# true is returned. If $p_perm_login is true, the long-term
# cookie is created.
function auth_attempt_login( $p_username, $p_password, $p_perm_login=false ) {
- $t_user_id = user_get_id_by_name( $p_username );
-
- $t_login_method = config_get( 'login_method' );
-
- if ( false === $t_user_id ) {
- if ( BASIC_AUTH == $t_login_method ) {
- # attempt to create the user if using BASIC_AUTH
- $t_cookie_string = user_create( $p_username, $p_password );
-
- if ( false === $t_cookie_string ) {
- # it didn't work
- return false;
- }
-
- # ok, we created the user, get the row again
- $t_user_id = user_get_id_by_name( $p_username );
-
- if ( false === $t_user_id ) {
- # uh oh, something must be really wrong
-
- # @@@ trigger an error here?
-
- return false;
- }
- } else {
- return false;
- }
- }
-
- # check for disabled account
- if ( !user_is_enabled( $t_user_id ) ) {
- return false;
- }
-
- # max. failed login attempts achieved...
- if( !user_is_login_request_allowed( $t_user_id ) ) {
- return false;
- }
-
- $t_anon_account = config_get( 'anonymous_account' );
- $t_anon_allowed = config_get( 'allow_anonymous_login' );
-
- # check for anonymous login
- if ( !( ( ON == $t_anon_allowed ) && ( $t_anon_account == $p_username) ) ) {
- # anonymous login didn't work, so check the password
-
- if ( !auth_does_password_match( $t_user_id, $p_password ) ) {
- user_increment_failed_login_count( $t_user_id );
- return false;
- }
- }
-
- # ok, we're good to login now
-
- # increment login count
- user_increment_login_count( $t_user_id );
-
- user_reset_failed_login_count_to_zero( $t_user_id );
- user_reset_lost_password_in_progress_count_to_zero( $t_user_id );
-
- # set the cookies
- auth_set_cookies( $t_user_id, $p_perm_login );
-
- return true;
+ #
+ # same thing. just return if we are not logged in
+ #
+ global $pearauth;
+ return $pearauth->checkAuth();
}
# --------------------
# Allows scripts to login using a login name or ( login name + password )
- function auth_attempt_script_login( $p_username, $p_password = null ) {
- global $g_script_login_cookie, $g_cache_cookie_valid, $g_cache_current_user_id, $g_cache_current_user_cookie_string;
-
- $t_user_id = user_get_id_by_name( $p_username );
-
- $t_user = user_get_row( $t_user_id );
-
- # check for disabled account
- if ( OFF == $t_user['enabled'] ) {
- return false;
- }
-
- # validate password if supplied
- if ( null !== $p_password ) {
- if ( !auth_does_password_match( $t_user_id, $p_password ) ) {
- return false;
- }
- }
-
- # ok, we're good to login now
-
- # With cases like RSS feeds and MantisConnect there is a login per operation, hence, there is no
- # real significance of incrementing login count.
- # increment login count
- # user_increment_login_count( $t_user_id );
-
- # set the cookies
- $g_script_login_cookie = $t_user['cookie_string'];
- $g_cache_current_user_cookie_string = $g_script_login_cookie;
-
- # cache user id for future reference
- $g_cache_current_user_id = $t_user_id;
- $g_cache_cookie_valid = true;
-
- return true;
+ function auth_attempt_script_login( $p_username, $p_password = null ) {
+ #
+ # we are unable to authenticate through this method anymore
+ # username and password are picked by the auth module from the
+ # get/set scripts. Anythin using this should be depreciated
+ #
+ global $pearauth;
+ return $pearauth->checkAuth();
}
# --------------------
# Logout the current user and remove any remaining cookies from their browser
# Returns true on success, false otherwise
- function auth_logout() {
- global $g_cache_current_user_id;
-
- # clear cached userid
- $g_cache_current_user_id = null;
-
- # clear cookies, if they were set
- if (auth_clear_cookies()) {
- helper_clear_pref_cookies();
+ function auth_logout() {
+ global $pearauth;
+ if ($pearauth->checkAuth())
+ {
+ $pearauth->logout();
+ helper_clear_pref_cookies();
+ }
+ else
+ {
+ $pearauth->logout();
}
return true;
}
@@ -200,71 +163,55 @@
# --------------------
# Return true if the password for the user id given matches the given
# password (taking into account the global login method)
- function auth_does_password_match( $p_user_id, $p_test_password ) {
- $t_configured_login_method = config_get( 'login_method' );
-
- if ( LDAP == $t_configured_login_method ) {
- return ldap_authenticate( $p_user_id, $p_test_password );
- }
-
- $t_password = user_get_field( $p_user_id, 'password' );
- $t_login_methods = Array(MD5, CRYPT, PLAIN);
- foreach ( $t_login_methods as $t_login_method ) {
-
- # pass the stored password in as the salt
- if ( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
- # Check for migration to another login method and test whether the password was encrypted
- # with our previously insecure implemention of the CRYPT method
- if ( ( $t_login_method != $t_configured_login_method ) ||
- ( ( CRYPT == $t_configured_login_method ) && substr( $t_password, 0, 2 ) == substr( $p_test_password, 0, 2 ) ) ) {
- user_set_password( $p_user_id, $p_test_password, true );
- }
+ function auth_does_password_match( $p_user_id, $p_test_password ) {
+ #
+ # this one is used all over the place :(.....
+ # gonna have to try to remove it from the other functions,
+ # I am not sure how to do this through pear::AUTH
+ # maybe we could trick it out? (This would be a nice thing
+ # to add to PEAR::Auth)
+ #
+
+ $_POST["test_username"] = $p_user_id;
+ $_POST["test_password"] = $p_test_password;
+
- return true;
- }
- }
+ $tmp_pearauthDriver = $pearauthDriver;
+ $tmp_pearauthOptions = $pearAuthOptions;
+ $tmp_pearauthOptions["postUsername"] = "test_username";
+ $tmp_pearauthOptions["postPassword"] = "test_password";
+ $tmp_pearauthOptions["sessionName" ] = "_auth_test";
- return false;
- }
+
+
+ function noaction($a,$b,$c){}
+
+ $tempauth = new Auth($tmp_pearauthDriver,$tmp_pearauthOptions,"noaction",false);
- # --------------------
- # Encrypt and return the plain password given, as appropriate for the current
- # global login method.
- #
- # When generating a new password, no salt should be passed in.
- # When encrypting a password to compare to a stored password, the stored
- # password should be passed in as salt. If the auth method is CRYPT then
- # crypt() will extract the appropriate portion of the stored password as its salt
- function auth_process_plain_password( $p_password, $p_salt=null, $p_method=null ) {
- $t_login_method = config_get( 'login_method' );
- if ( $p_method !== null ) {
- $t_login_method = $p_method;
- }
+ /* give our fake data to the function */
+ $retval = $tempauth->checkAuth();
- switch ( $t_login_method ) {
- case CRYPT:
- # a null salt is the same as no salt, which causes a salt to be generated
- # otherwise, use the salt given
- $t_processed_password = crypt( $p_password, $p_salt );
- break;
- case MD5:
- $t_processed_password = md5( $p_password );
- break;
- case BASIC_AUTH:
- case PLAIN:
- default:
- $t_processed_password = $p_password;
- break;
- }
+ /* nix our temps. */
+ unset($tempauth);
+ unset($_POST["test_username"]);
+ unset($_POST["test_password"]);
+ unset($_SESSION["_auth_test"]);
+
- # cut this off to 32 cahracters which the largest possible string in the database
- return substr( $t_processed_password, 0, 32 );
+ return $retval;
}
# --------------------
# Generate a random 12 character password
# p_email is unused
- function auth_generate_random_password( $p_email ) {
+ # used for lost passwords, when we can set the passwords though the system.
+ #
+ function auth_generate_random_password( $p_email ) {
+ #
+ # this on should stay. it is used for creation and resetting of passwords
+ # (on platforms that support that)
+ #
+
$t_val = mt_rand( 0, mt_getrandmax() ) + mt_rand( 0, mt_getrandmax() );
$t_val = md5( $t_val );
@@ -290,7 +237,10 @@
# --------------------
# Set login cookies for the user
# If $p_perm_login is true, a long-term cookie is created
- function auth_set_cookies( $p_user_id, $p_perm_login=false ) {
+ function auth_set_cookies( $p_user_id, $p_perm_login=false ) {
+ #
+ # used in verify.php
+ #
$t_cookie_string = user_get_field( $p_user_id, 'cookie_string' );
$t_cookie_name = config_get( 'string_cookie' );
@@ -304,204 +254,33 @@
}
}
- # --------------------
- # Clear login cookies, return true if they were cleared
- function auth_clear_cookies() {
- global $g_script_login_cookie;
-
- $t_cookies_cleared = false;
-
- # clear cookie, if not logged in from script
- if ($g_script_login_cookie == null) {
- $t_cookie_name = config_get( 'string_cookie' );
- $t_cookie_path = config_get( 'cookie_path' );
-
- gpc_clear_cookie( $t_cookie_name, $t_cookie_path );
- $t_cookies_cleared = true;
- } else {
- $g_script_login_cookie = null;
- }
- return $t_cookies_cleared;
- }
-
- # --------------------
- # Generate a string to use as the identifier for the login cookie
- # It is not guaranteed to be unique and should be checked
- # The string returned should be 64 characters in length
- function auth_generate_cookie_string() {
- $t_val = mt_rand( 0, mt_getrandmax() ) + mt_rand( 0, mt_getrandmax() );
- $t_val = md5( $t_val ) . md5( time() );
-
- return substr( $t_val, 0, 64 );
- }
-
- # --------------------
- # Generate a UNIQUE string to use as the identifier for the login cookie
- # The string returned should be 64 characters in length
- function auth_generate_unique_cookie_string() {
- do {
- $t_cookie_string = auth_generate_cookie_string();
- } while ( !auth_is_cookie_string_unique( $t_cookie_string ) );
-
- return $t_cookie_string;
- }
-
- # --------------------
- # Return true if the cookie login identifier is unique, false otherwise
- function auth_is_cookie_string_unique( $p_cookie_string ) {
- $t_user_table = config_get( 'mantis_user_table' );
-
- $c_cookie_string = db_prepare_string( $p_cookie_string );
-
- $query = "SELECT COUNT(*)
- FROM $t_user_table
- WHERE cookie_string='$c_cookie_string'";
- $result = db_query( $query );
- $t_count = db_result( $result );
- if ( $t_count > 0 ) {
- return false;
- } else {
- return true;
- }
- }
-
- # --------------------
- # Return the current user login cookie string,
- # note that the cookie cached by a script login superceeds the cookie provided by
- # the browser. This shouldn't normally matter, except that the password verification uses
- # this routine to bypass the normal authentication, and can get confused when a normal user
- # logs in, then runs the verify script. the act of fetching config variables may get the wrong
- # userid.
- # if no user is logged in and anonymous login is enabled, returns cookie for anonymous user
- # otherwise returns '' (an empty string)
- function auth_get_current_user_cookie() {
- global $g_script_login_cookie, $g_cache_anonymous_user_cookie_string, $g_cache_current_user_cookie_string;
-
- if( isset( $g_cache_current_user_cookie_string ) ) {
- return $g_cache_current_user_cookie_string;
- }
-
- # if logging in via a script, return that cookie
- if ( $g_script_login_cookie !== null ) {
- return $g_script_login_cookie;
- }
-
- # fetch user cookie
- $t_cookie_name = config_get( 'string_cookie' );
- $t_cookie = gpc_get_cookie( $t_cookie_name, '' );
-
- # if cookie not found, and anonymous login enabled, use cookie of anonymous account.
- if ( is_blank( $t_cookie ) ) {
- if ( ON == config_get( 'allow_anonymous_login' ) ) {
- if ( $g_cache_anonymous_user_cookie_string === null ) {
- if ( function_exists( 'db_is_connected' ) && db_is_connected() ) {
- # get anonymous information if database is available
- $query = sprintf('SELECT id, cookie_string FROM %s WHERE username = \'%s\'',
- config_get( 'mantis_user_table' ), config_get( 'anonymous_account' ) );
- $result = db_query( $query );
-
- if ( 1 == db_num_rows( $result ) ) {
- $row = db_fetch_array( $result );
- $t_cookie = $row['cookie_string'];
-
- $g_cache_anonymous_user_cookie_string = $t_cookie;
- $g_cache_current_user_id = $row['id'];
- }
- }
- } else {
- $t_cookie = $g_cache_anonymous_user_cookie_string;
- }
- }
- }
-
- $g_cache_current_user_cookie_string = $t_cookie;
- return $t_cookie;
- }
-
-
- #===================================
- # Data Access
- #===================================
-
- #########################################
- # is cookie valid?
-
- function auth_is_cookie_valid( $p_cookie_string ) {
- global $g_cache_current_user_id, $g_cache_cookie_valid;
-
- # fail if DB isn't accessible
- if ( !db_is_connected() ) {
- return false;
- }
-
- # fail if cookie is blank
- if ( '' === $p_cookie_string ) {
- return false;
- }
-
- # succeeed if user has already been authenticated
- if ( null !== $g_cache_current_user_id ) {
- return true;
- }
-
- # look up cookie in the database to see if it is valid
- $t_user_table = config_get( 'mantis_user_table' );
-
- $c_cookie_string = db_prepare_string( $p_cookie_string );
-
- $query = "SELECT id
- FROM $t_user_table
- WHERE cookie_string='$c_cookie_string'";
- $result = db_query( $query );
-
- # return true if a matching cookie was found
- $g_cache_cookie_valid = false;
- if( 1 == db_num_rows( $result ) ) {
- $g_cache_cookie_valid = true;
- return ( true );
- }
-}
+ function auth_set_password($p_user_id, $p_password)
+ {
+ global $pearauth;
+ if( true!== $pearauth->changePassword(user_get_name($p_user_id),$p_password))
+ {
+ return false;
+ }
+ return true;
+ }
+
#########################################
# SECURITY NOTE: cache globals are initialized here to prevent them
# being spoofed if register_globals is turned on
#
$g_cache_current_user_id = null;
-
function auth_get_current_user_id() {
- global $g_cache_current_user_id;
-
- if ( null !== $g_cache_current_user_id ) {
- return $g_cache_current_user_id;
- }
-
- $t_user_table = config_get( 'mantis_user_table' );
-
- $t_cookie_string = auth_get_current_user_cookie();
-
- # @@@ error with an error saying they aren't logged in?
- # Or redirect to the login page maybe?
-
- $c_cookie_string = db_prepare_string( $t_cookie_string );
-
- $query = "SELECT id
- FROM $t_user_table
- WHERE cookie_string='$c_cookie_string'";
- $result = db_query( $query );
-
- # The cookie was invalid. Clear the cookie (to allow people to log in again)
- # and give them an Access Denied message.
- if ( db_num_rows( $result ) < 1 ) {
- auth_clear_cookies();
- access_denied(); # never returns
- return false;
+ global $pearauth;
+ global $g_cache_current_user_id;
+
+ if ( null == $g_cache_current_user_id ) {
+ $g_cache_current_user_id = user_get_id_by_name($pearauth->getUsername());
}
- $t_user_id = (int)db_result( $result );
- $g_cache_current_user_id = $t_user_id;
-
- return $t_user_id;
+ #perhaps we should store all of this on a sucessful login into the auth obj?
+ return $g_cache_current_user_id;
}
#===================================
--- core/user_api.php Mon May 07 13:03:06 2007
+++ core/user_api.php Wed Jul 18 01:48:49 2007
@@ -342,15 +342,15 @@
# Create a user.
# returns false if error, the generated cookie string if ok
function user_create( $p_username, $p_password, $p_email='', $p_access_level=null, $p_protected=false, $p_enabled=true, $p_realname='' ) {
+ global $pearauth;
+
if ( null === $p_access_level ) {
$p_access_level = config_get( 'default_new_account_access_level');
}
- $t_password = auth_process_plain_password( $p_password );
-
+
$c_username = db_prepare_string( $p_username );
$c_realname = db_prepare_string( $p_realname );
- $c_password = db_prepare_string( $t_password );
$c_email = db_prepare_string( $p_email );
$c_access_level = db_prepare_int( $p_access_level );
$c_protected = db_prepare_bool( $p_protected );
@@ -362,20 +362,46 @@
user_ensure_realname_unique( $p_username, $p_realname );
email_ensure_valid( $p_email );
- $t_seed = $p_email . $p_username;
+ $t_seed = $p_email . $p_username;
+
+ #
+ # this is for perma-login.... we could use the $pearAuth->setAuth(string $username)
+ # to force a login if the cookie is good.
+ #
+
+ /*
$t_cookie_string = auth_generate_unique_cookie_string( $t_seed );
+ */
+
+ /* bypass perma-cookie for now*/
+ $t_cookie_string = "";
+
$t_user_table = config_get( 'mantis_user_table' );
-
- $query = "INSERT INTO $t_user_table
- ( username, email, password, date_created, last_visit,
- enabled, access_level, login_count, cookie_string, realname )
- VALUES
- ( '$c_username', '$c_email', '$c_password', " . db_now() . "," . db_now() . ",
- $c_enabled, $c_access_level, 0, '$t_cookie_string', '$c_realname')";
- db_query( $query );
-
- # Create preferences for the user
- $t_user_id = db_insert_id( $t_user_table );
+
+ #this will add the user to the auth method. ...
+ # some auth methods may already have the
+ # users added, and we would just need to create the rest of the information.
+ $pearauth->addUser($p_username,$p_password);
+
+ # update the database with the default configuration
+ $query = "UPDATE $t_user_table SET
+ email= '$c_email', date_created = " . db_now() . ", last_visit = " . db_now() . ",
+ enabled = $c_enabled, access_level = $c_access_level, login_count = 0 , cookie_string = '$t_cookie_string',
+ realname = '$c_realname'
+ WHERE username = '$c_username';";
+
+ db_query( $query );
+
+ # Create preferences for the user
+ if(db_is_pgsql())
+ {
+ $t_user_id = user_get_id_by_name( $p_username );
+ }
+ else
+ {
+ $t_user_id = db_insert_id( $t_user_table );
+ }
+
user_pref_set_default( $t_user_id );
# Users are added with protected set to FALSE in order to be able to update
@@ -389,8 +415,9 @@
$t_confirm_hash = auth_generate_confirm_hash( $t_user_id );
email_signup( $t_user_id, $p_password, $t_confirm_hash );
}
-
- return $t_cookie_string;
+
+ if($t_cookie_string) return $t_cookie_string;
+ return true;
}
# --------------------
@@ -1069,21 +1096,11 @@
# --------------------
# Set the user's password to the given string, encoded as appropriate
function user_set_password( $p_user_id, $p_password, $p_allow_protected=false ) {
- $c_user_id = db_prepare_int( $p_user_id );
-
if ( !$p_allow_protected ) {
user_ensure_unprotected( $p_user_id );
}
-
- $t_password = auth_process_plain_password( $p_password );
- $t_user_table = config_get( 'mantis_user_table' );
- $query = "UPDATE $t_user_table
- SET password='$t_password'
- WHERE id='$c_user_id'";
- db_query( $query );
-
- #db_query() errors on failure so:
- return true;
+
+ return auth_set_password($p_user_id, $p_password);
}
# --------------------
@@ -1136,10 +1153,9 @@
if ( ( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
# Create random password
$t_email = user_get_field( $p_user_id, 'email' );
- $t_password = auth_generate_random_password( $t_email );
- $t_password2 = auth_process_plain_password( $t_password );
-
- user_set_field( $p_user_id, 'password', $t_password2 );
+ $t_password = auth_generate_random_password( $t_email );
+
+ if(!auth_set_password($p_user_id,$t_password)) return false;
# Send notification email
if ( $p_send_email ) {
@@ -1148,8 +1164,8 @@
}
} else {
# use blank password, no emailing
- $t_password = auth_process_plain_password( '' );
- user_set_field( $p_user_id, 'password', $t_password );
+ if(!auth_set_password($p_user_id,$t_password)) return false;
+
# reset the failed login count because in this mode there is no emailing
user_reset_failed_login_count_to_zero( $p_user_id );
}
--- login.php Sat Mar 03 07:54:16 2007
+++ login.php Wed Jul 18 01:02:57 2007
@@ -15,41 +15,17 @@
require_once( 'core.php' );
- $f_username = gpc_get_string( 'username', '' );
- $f_password = gpc_get_string( 'password', '' );
- $f_perm_login = gpc_get_bool( 'perm_login' );
- $f_return = gpc_get_string( 'return', config_get( 'default_home_page' ) );
- $f_from = gpc_get_string( 'from', '' );
+ #
+ # not sure how to support HTTP_AUTH. I didn't see a storage continer for it
+ # in pear::AUTH. Maybe someone will write it?
+ #
- if ( BASIC_AUTH == config_get( 'login_method' ) ) {
- $f_username = $_SERVER['REMOTE_USER'];
- $f_password = $_SERVER['PHP_AUTH_PW'];
- }
-
- if ( HTTP_AUTH == config_get( 'login_method' ) ) {
- if ( !auth_http_is_logout_pending() )
- {
- if ( isset( $_SERVER['PHP_AUTH_USER'] ) )
- $f_username = $_SERVER['PHP_AUTH_USER'];
- if ( isset( $_SERVER['PHP_AUTH_PW'] ) )
- $f_password = $_SERVER['PHP_AUTH_PW'];
- } else {
- auth_http_set_logout_pending( false );
- auth_http_prompt();
- return;
- }
- }
-
- if ( auth_attempt_login( $f_username, $f_password, $f_perm_login ) ) {
+ if ( $pearauth->checkAuth() ) {
$t_redirect_url = 'login_cookie_test.php?return=' . urlencode( $f_return );
- } else {
+ }
+ else
+ {
$t_redirect_url = 'login_page.php?return=' . urlencode( $f_return ) . '&error=1';
-
- if ( HTTP_AUTH == config_get( 'login_method' ) ) {
- auth_http_prompt();
- exit;
- }
}
-
print_header_redirect( $t_redirect_url );
?>
--- login_page.php Sun Jul 23 18:31:28 2006
+++ login_page.php Wed Jul 18 00:22:11 2007
@@ -11,6 +11,7 @@
# Login page POSTs results to login.php
# Check to see if the user is already logged in
+ $g_login_allowed = false;
require_once( 'core.php' );
@@ -23,7 +24,7 @@
$f_return = gpc_get_string( 'return', '' );
# Check for HTTP_AUTH. HTTP_AUTH is handled in login.php
-
+/*
if ( HTTP_AUTH == config_get( 'login_method' ) ) {
$t_uri = "login.php";
@@ -38,7 +39,7 @@
print_header_redirect( $t_uri );
exit;
}
-
+*/
html_page_top1();
html_page_top2a();
@@ -183,7 +184,7 @@
( $t_upgrade_count != ( $t_upgrades_reqd + 10 ) ) ) { # there are 10 optional data escaping fixes that may be present
echo '<div class="warning" align="center">';
echo '<p><font color="red"><strong>WARNING:</strong> The database structure may be out of date. Please upgrade <a href="admin/upgrade.php">here</a> before logging in.</font></p>';
- echo '</div>';
+ echo '</div>';
}
}
