-
Notifications
You must be signed in to change notification settings - Fork 130
Expand file tree
/
Copy pathAuth_db.class.php
More file actions
115 lines (106 loc) · 4.2 KB
/
Auth_db.class.php
File metadata and controls
115 lines (106 loc) · 4.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<?php
/* Copyright (c) Anuko International Ltd. https://www.anuko.com
License: See license.txt */
/**
* Auth_db class is used to authenticate users against internal DB
* @package TimeTracker
*/
class Auth_db extends Auth {
/**
* Authenticate user against internal users DB
*
* @param string $login
* @param string $password
* @return mixed
*/
function authenticate($login, $password)
{
$mdb2 = getConnection();
if (AUTH_DB_HASH_ALGORITHM !== '') {
$sql = "SELECT id, password as hash FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND status = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
die($res->getMessage());
}
$val = $res->fetchRow();
if (isset($val['id']) && $val['id'] > 0) {
if (password_verify($password, $val['hash'])) {
if (password_needs_rehash($val['hash'], PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS)) {
$sql = "update `tt_users` set `password` = '".password_hash($password, PASSWORD_ALGORITHM, AUTH_DB_HASH_ALGORITHM_OPTIONS)."' where `id` = " . $mdb2->quote($val['id']);
$affected = $mdb2->exec($sql);
if (is_a($res, 'PEAR_Error')) die($res->getMessage());
}
return array('login'=>$login,'id'=>$val['id']);
}
}
}
else {
// md5 hash
$sql = "SELECT id FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
die($res->getMessage());
}
$val = $res->fetchRow();
if (isset($val['id']) && $val['id'] > 0) {
return array('login'=>$login,'id'=>$val['id']);
}
}
return false;
/*
// Try md5 password match first.
$sql = "SELECT id FROM tt_users"." WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
die($res->getMessage());
}
$val = $res->fetchRow();
if (isset($val['id']) && $val['id'] > 0) {
return array('login'=>$login,'id'=>$val['id']);
} else {
// If the OLD_PASSWORDS option is defined - set it.
if (isTrue('OLD_PASSWORDS')) {
$sql = "SET SESSION old_passwords = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
die($res->getMessage());
}
}
// Try legacy password match. This is needed for compatibility with older versions of TT.
$sql = "SELECT id FROM tt_users
WHERE login = ".$mdb2->quote($login)." AND password = old_password(".$mdb2->quote($password).") AND status = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
return false; // Simply return false for a meaningful error message on screen, see the comment below.
// die($res->getMessage()); // old_password() function is removed in MySQL 5.7.5.
// We are getting a confusing "MDB2 Error: not found" in this case if we die.
// TODO: perhaps it's time to simplify things and remove handling of old passwords completely.
// HOWEVER: some users apparently never change their passwords. When I tried removing OLD_PASSWORDS
// support in November 2018, there were login issues with such users.
}
$val = $res->fetchRow();
if (isset($val['id']) && $val['id'] > 0) {
return array('login'=>$login,'id'=>$val['id']);
}
}
// Special handling for admin@localhost - search for an account with admin role with a matching password.
if ($login == 'admin@localhost') {
$sql = "SELECT u.id, u.login FROM tt_users u".
" LEFT JOIN tt_roles r on (u.role_id = r.id)".
" WHERE r.rank = 1024 AND password = md5(".$mdb2->quote($password).") AND u.status = 1";
$res = $mdb2->query($sql);
if (is_a($res, 'PEAR_Error')) {
die($res->getMessage());
}
$val = $res->fetchRow();
if (isset($val['id']) && $val['id'] > 0) {
return array('login'=>$val['login'],'id'=>$val['id']);
}
}
return false;
*/
}
function isPasswordExternal() {
return false;
}
}