Skip to content

Commit

Permalink
EZP-29703: Legacy LDAP users cause error message on login (#1394)
Browse files Browse the repository at this point in the history
* EZP-29703: Legacy LDAP users cause error message on login
  • Loading branch information
glye authored and andrerom committed Apr 29, 2019
1 parent 078fa45 commit 01930a9
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 18 deletions.
9 changes: 5 additions & 4 deletions kernel/classes/datatypes/ezuser/ezldapuser.php
Original file line number Diff line number Diff line change
Expand Up @@ -91,14 +91,15 @@ static function loginUser( $login, $password, $authenticationMatch = false )
$exists = true;
}

eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin( $userID );

if ( $exists )
{
eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );

// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;

Expand Down Expand Up @@ -821,7 +822,7 @@ static function publishUpdateUser( $parentNodeIDs, $defaultUserPlacement, $userA
}

$user->setAttribute( 'password_hash', "" );
$user->setAttribute( 'password_hash_type', 0 );
$user->setAttribute( 'password_hash_type', self::PASSWORD_HASH_EMPTY );
$user->store();

$debugArray = array( 'Updating user data',
Expand Down
11 changes: 6 additions & 5 deletions kernel/classes/datatypes/ezuser/eztextfileuser.php
Original file line number Diff line number Diff line change
Expand Up @@ -102,14 +102,15 @@ static function loginUser( $login, $password, $authenticationMatch = false )
$exists = true;
}

eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin( $userID );

if ( $exists )
{
eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );

// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;

Expand Down Expand Up @@ -279,7 +280,7 @@ static function loginUser( $login, $password, $authenticationMatch = false )
$user->setAttribute( 'login', $login );
$user->setAttribute( 'email', $email );
$user->setAttribute( 'password_hash', "" );
$user->setAttribute( 'password_hash_type', 0 );
$user->setAttribute( 'password_hash_type', self::PASSWORD_HASH_EMPTY );
$user->store();

eZUser::updateLastVisit( $userID );
Expand Down Expand Up @@ -318,7 +319,7 @@ static function loginUser( $login, $password, $authenticationMatch = false )
$existUser = eZUser::fetch( $userID );
$existUser->setAttribute('email', $email );
$existUser->setAttribute('password_hash', "" );
$existUser->setAttribute('password_hash_type', 0 );
$existUser->setAttribute('password_hash_type', self::PASSWORD_HASH_EMPTY );
$existUser->store();

if ( $defaultUserPlacement != $parentNodeID )
Expand Down
48 changes: 39 additions & 9 deletions kernel/classes/datatypes/ezuser/ezuser.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

class eZUser extends eZPersistentObject
{
/// No hash, used by external handlers such as LDAP and TextFile
const PASSWORD_HASH_EMPTY = 0;
/// MD5 of password
const PASSWORD_HASH_MD5_PASSWORD = 1;
/// MD5 of user and password
Expand Down Expand Up @@ -123,6 +125,10 @@ static function passwordHashTypeName( $id )
{
switch ( $id )
{
case self::PASSWORD_HASH_EMPTY:
{
return 'empty';
} break;
case self::PASSWORD_HASH_MD5_PASSWORD:
{
return 'md5_password';
Expand Down Expand Up @@ -161,6 +167,10 @@ static function passwordHashTypeID( $identifier )
{
switch ( $identifier )
{
case 'empty':
{
return self::PASSWORD_HASH_EMPTY;
} break;
case 'md5_password':
{
return self::PASSWORD_HASH_MD5_PASSWORD;
Expand Down Expand Up @@ -305,8 +315,14 @@ function setInformation( $id, $login, $email, $password, $passwordConfirm = fals
if ( eZUser::validatePassword( $password ) and
$password === $passwordConfirm ) // Cannot change login or password_hash without login and password
{
$this->setAttribute( "password_hash", eZUser::createHash( $login, $password, eZUser::site(),
eZUser::hashType() ) );
if ( eZUser::hashType() !== self::PASSWORD_HASH_EMPTY )
{
$this->setAttribute(
"password_hash",
eZUser::createHash( $login, $password, eZUser::site(), eZUser::hashType() )
);
}

$this->setAttribute( "password_hash_type", eZUser::hashType() );
}
else
Expand Down Expand Up @@ -883,14 +899,15 @@ protected static function _loginUser( $login, $password, $authenticationMatch =

}

eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType, $hash ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin( $userID );

if ( $exists )
{
eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(),
$hashType, $hash ), "check hash" );
eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" );

// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;

Expand Down Expand Up @@ -1729,6 +1746,11 @@ static function currentUserID()
*/
static function authenticateHash( $user, $password, $site, $type, $hash )
{
if ( $user == '' || $password == '' || $type == self::PASSWORD_HASH_EMPTY )
{
return false;
}

return eZUser::createHash( $user, $password, $site, $type, $hash ) === (string) $hash;
}

Expand Down Expand Up @@ -1877,12 +1899,20 @@ static function createHash( $user, $password, $site, $type, $hash = false )
{
$str = password_hash( $password, PASSWORD_DEFAULT );
}
else // self::DEFAULT_PASSWORD_HASH
else
{
eZDebug::writeError( "Password hash type ID '$type' is not recognized. " .
'Defaulting to eZUser::DEFAULT_PASSWORD_HASH.' );
$str = self::createHash( $user, $password, $site, self::DEFAULT_PASSWORD_HASH, $hash );
if ( $type == self::PASSWORD_HASH_EMPTY )
{
eZDebug::writeError( "Cannot create hash of hash type 0 (PASSWORD_HASH_EMPTY)." );
}
else
{
eZDebug::writeError( "Password hash type ID '$type' is not recognized." );
}

return false;
}

eZDebugSetting::writeDebug( 'kernel-user', $str, "ezuser($type)" );
return $str;
}
Expand Down

0 comments on commit 01930a9

Please sign in to comment.