}
// password needs to be encrypted
else if ($name == "password" && !empty($value)) {
- $user->password = md5($value);
+ $user->password = hash_internal_user_password($value);
}
else if ($name == "username") {
$user->username = addslashes(moodle_strtolower($value));
$user->firstname = get_string("admin");
$user->lastname = get_string("user");
$user->username = "admin";
- $user->password = md5("admin");
+ $user->password = hash_internal_user_password("admin");
$user->email = "root@localhost";
$user->confirmed = 1;
$user->lang = $CFG->lang;
// user exists exterally
// check username/password internally
if ($user = get_record('user', 'username', $username)) {
- return ($user->password == md5($password));
+ return validate_internal_user_password($user, $password);
}
} else {
// user does not exist externally
global $CFG;
- if (! $user = get_record('user', 'username', $username)) {
- return false;
+ if ($user = get_record('user', 'username', $username)) {
+ return validate_internal_user_password($user, $password);
}
-
- return ($user->password == md5($password));
+
+ return false;
}
// Returns true if the username and password work
if ($user = get_record('user', 'username', $username)) {
- return ($user->password == md5($password));
+ return validate_internal_user_password($user, $password);
}
return false;
// Returns true if the username and password work
if ($user = get_record('user', 'username', $username)) {
- return ($user->password == md5($password));
+ return validate_internal_user_password($user, $password);
}
return true;
/// USER DATABASE ////////////////////////////////////////////////
-/**
- * Does this username and password specify a valid admin user?
- *
- * @uses $CFG
- * @param string $username The name of the user to be tested for admin rights
- * @param string $md5password The password supplied by the user in md5 encrypted format.
- * @return bool
- */
-function adminlogin($username, $md5password) {
-
- global $CFG;
-
- return record_exists_sql("SELECT u.id
- FROM {$CFG->prefix}user u,
- {$CFG->prefix}user_admins a
- WHERE u.id = a.userid
- AND u.username = '$username'
- AND u.password = '$md5password'");
-}
-
/**
* Get the guest user information from the database
*
$newuser->auth = (empty($auth)) ? $CFG->auth : $auth;
$newuser->username = $username;
- if(empty($CFG->{$newuser->auth.'_preventpassindb'})){ //Prevent passwords in Moodle's DB
- $newuser->password = md5($password);
- } else {
- $newuser->password = 'not cached'; //Unusable password
- }
+ update_internal_user_password($newuser, $password, false);
$newuser->lang = $CFG->lang;
$newuser->confirmed = 1;
$newuser->lastIP = getremoteaddr();
global $CFG;
- $md5password = md5($password);
-
// First try to find the user in the database
if (!$user = get_complete_user_data('username', $username)) {
if (empty($user->auth)) { // For some reason auth isn't set yet
set_field('user', 'auth', $auth, 'username', $username);
}
- if (empty($CFG->{$user->auth.'_preventpassindb'})){ //Calculate the password to update
- $passfield = $md5password;
- } else {
- $passfield = 'not cached';
- }
- if ($passfield <> $user->password) { // Update local copy of password for reference
- set_field('user', 'password', $passfield, 'username', $username); //Update password
- }
+ update_internal_user_password($user, $password);
if (!is_internal_auth()) { // update user record from external DB
$user = update_user_record($username);
}
}
}
+/**
+ * Compare password against hash stored in local user table.
+ * If necessary it also updates the stored hash to new format.
+ *
+ * @param object user
+ * @param string plain text password
+ * @return bool is password valid?
+ */
+function validate_internal_user_password(&$user, $password) {
+ global $CFG;
+
+ $validated = false;
+
+ if (!empty($CFG->unicodedb)) {
+ $textlib = textlib_get_instance();
+ $convpassword = $textlib->convert($password, 'UTF-8', get_string('oldcharset'));
+ } else {
+ $convpassword = false;
+ }
+
+ if ($user->password == md5($password)) {
+ $validated = true;
+ } elseif ($convpassword !== false && $user->password == md5($convpassword)) {
+ $validated = true;
+ }
+
+ if ($validated) {
+ update_internal_user_password($user, $password);
+ }
+
+ return $validated;
+}
+
+/**
+ * Calculate hashed value from password using current hash mechanism.
+ * This mechanism might change in future, older methodes are handled in validate_internal_user_password()
+ *
+ * @param string password
+ * @return string password hash
+ */
+function hash_internal_user_password($password) {
+ return md5($password);
+}
+
+/**
+ * Update pssword hash in user object.
+ *
+ * @param object user
+ * @param string plain text password
+ * @param bool store changes also in db, default true
+ * @return true if hash changed
+ */
+function update_internal_user_password(&$user, $password, $storeindb=true) {
+ global $CFG;
+
+ if (!empty($CFG->{$user->auth.'_preventpassindb'})) {
+ $hashedpassword = 'not cached';
+ } else {
+ $hashedpassword = hash_internal_user_password($password);
+ }
+
+ if ($user->password != $hashedpassword) {
+ if ($storeindb) {
+ if (!set_field('user', 'password', $hashedpassword, 'username', $user->username)) {
+ return false;
+ }
+ }
+ $user->password = $hashedpassword;
+ }
+ return true;
+}
+
/**
* Get a complete user record, which includes all the info
* in the user record, as well as membership information
require_once('../config.php');
- $id = optional_param('id', SITEID);
+ $id = optional_param('id', SITEID, PARAM_INT);
//HTTPS is potentially required in this page
httpsrequired();
update_login_count();
if (!count((array)$err)) {
- $username = $frm->username;
- $password = md5($frm->newpassword1);
-
- $user = get_complete_user_data('username', $username);
+ $user = get_complete_user_data('username', $frm->username);
if (isguest($user->id)) {
error('Can\'t change guest password!');
}
if (is_internal_auth($user->auth)){
- if (set_field('user', 'password', $password, 'username', $username)) {
- $user->password = $password;
- } else {
+ if (!update_internal_user_password($user, $frm->newpassword1)) {
error('Could not set the new password');
}
} else { // external users
if (function_exists('auth_user_update_password')){
// note that we pass cleartext password
if (auth_user_update_password($user->username, $frm->newpassword1)){
- $user->password = $password;
+ update_internal_user_password($user, $frm->newpassword1, false);
} else {
error('Could not set the new password');
}
require_once("../config.php");
- $loginguest = optional_param('loginguest', false); // determines whether visitors are logged in as guest automatically
+ $loginguest = optional_param('loginguest', 0, PARAM_BOOL); // determines whether visitors are logged in as guest automatically
/// Check for timed out sessions
if (!empty($SESSION->has_timed_out)) {
if (! record_exists("user", "username", "guest")) {
$guest->auth = "manual";
$guest->username = "guest";
- $guest->password = md5("guest");
+ $guest->password = hash_internal_user_password("guest");
$guest->firstname = addslashes(get_string("guestuser"));
$guest->lastname = " ";
$guest->email = "root@localhost";
if (count((array)$err) == 0) {
$plainpass = $user->password;
- $user->password = md5($user->password);
+ $user->password = hash_internal_user_password($plainpass);
$user->confirmed = 0;
$user->lang = current_language();
$user->firstaccess = time();
if (isadmin()) {
if (!empty($usernew->newpassword)) {
- $usernew->password = md5($usernew->newpassword);
+ $usernew->password = hash_internal_user_password($usernew->newpassword);
// update external passwords
if (!empty($CFG->{'auth_'. $user->auth.'_stdchangepassword'})) {
if (function_exists('auth_user_update_password')){
projects / moodle.git / commitdiff