Menu
▾
▴
Re: [Phpwiki-talk] Some thoughts about phpwiki
|
From: Reini U. <ru...@x-...> - 2005-02-07 16:41:53
|
Âëàäèìèðîâ Ìèõàèë Àëåêñååâè÷ schrieb:
>>>2. 'strict' authorization scheme is broken (it tries next
>>>authentication method if previous method says, that user exists, but
>>>password is wrong). I have fixed this bug by deleting several lines
>>>in WikiUserNew.php (first 'if' statement in function _tryNextPass of
>>>class PassUser)
It's not that simple but I found a good fix.
> RU> Thanks!
> I remember another problem. Plugin UserPreferences does not encrypt
> passwords, even if ENCRYPTED_PASSWD is true. I have fixed it in the
> following way:
>
> if (empty($rp['passwd'])) unset($rp['passwd']);
> else $rp['passwd'] = $this->_encryptPassword ($rp['passwd']);
>
> where _encryptPassword () encrypts password if ENCRYPTED_PASSWD is
> true (I used code from script passencrypt.php to implement it).
That's unfortunately wrong, because the user class stores and changes
the passwords. You cannot do that in the plugin.
But I detected the real problem for PersonalPage users
in WikiUserNew only.
This _PassUser::changePass method forgot to crypt and more things.
(not foolproof yet)
function changePass($submitted_password) {
$stored_password = $this->_prefs->get('passwd');
// check if authenticated
if (!$this->isAuthenticated()) return false;
if (ENCRYPTED_PASSWD) {
$submitted_password = crypt($submitted_password);
}
// check other restrictions, with side-effects only.
$result = $this->_checkPass($submitted_password, $stored_password);
if ($stored_password != $submitted_password) {
$this->_prefs->set('passwd', $submitted_password);
//update the storage (session, homepage, ...)
$this->SetPreferences($this->_prefs);
return true;
}
//Todo: return an error msg to the caller what failed?
// same password or no privilege
return ENCRYPTED_PASSWD ? true : false;
}
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
|
