diff --git a/kernel/classes/datatypes/ezuser/ezldapuser.php b/kernel/classes/datatypes/ezuser/ezldapuser.php index aa4253a041d..ce2cc75b31b 100644 --- a/kernel/classes/datatypes/ezuser/ezldapuser.php +++ b/kernel/classes/datatypes/ezuser/ezldapuser.php @@ -91,14 +91,15 @@ static function loginUser( $login, $password, $authenticationMatch = false ) $exists = true; } - eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), - $hashType ), "check hash" ); - eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); // If current user has been disabled after a few failed login attempts. $canLogin = eZUser::isEnabledAfterFailedLogin( $userID ); if ( $exists ) { + eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), + $hashType ), "check hash" ); + eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); + // We should store userID for warning message. $GLOBALS['eZFailedLoginAttemptUserID'] = $userID; @@ -821,7 +822,7 @@ static function publishUpdateUser( $parentNodeIDs, $defaultUserPlacement, $userA } $user->setAttribute( 'password_hash', "" ); - $user->setAttribute( 'password_hash_type', 0 ); + $user->setAttribute( 'password_hash_type', self::PASSWORD_HASH_EMPTY ); $user->store(); $debugArray = array( 'Updating user data', diff --git a/kernel/classes/datatypes/ezuser/eztextfileuser.php b/kernel/classes/datatypes/ezuser/eztextfileuser.php index 2f132e41b65..01c3a45bba5 100644 --- a/kernel/classes/datatypes/ezuser/eztextfileuser.php +++ b/kernel/classes/datatypes/ezuser/eztextfileuser.php @@ -102,14 +102,15 @@ static function loginUser( $login, $password, $authenticationMatch = false ) $exists = true; } - eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), - $hashType ), "check hash" ); - eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); // If current user has been disabled after a few failed login attempts. $canLogin = eZUser::isEnabledAfterFailedLogin( $userID ); if ( $exists ) { + eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), + $hashType ), "check hash" ); + eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); + // We should store userID for warning message. $GLOBALS['eZFailedLoginAttemptUserID'] = $userID; @@ -279,7 +280,7 @@ static function loginUser( $login, $password, $authenticationMatch = false ) $user->setAttribute( 'login', $login ); $user->setAttribute( 'email', $email ); $user->setAttribute( 'password_hash', "" ); - $user->setAttribute( 'password_hash_type', 0 ); + $user->setAttribute( 'password_hash_type', self::PASSWORD_HASH_EMPTY ); $user->store(); eZUser::updateLastVisit( $userID ); @@ -318,7 +319,7 @@ static function loginUser( $login, $password, $authenticationMatch = false ) $existUser = eZUser::fetch( $userID ); $existUser->setAttribute('email', $email ); $existUser->setAttribute('password_hash', "" ); - $existUser->setAttribute('password_hash_type', 0 ); + $existUser->setAttribute('password_hash_type', self::PASSWORD_HASH_EMPTY ); $existUser->store(); if ( $defaultUserPlacement != $parentNodeID ) diff --git a/kernel/classes/datatypes/ezuser/ezuser.php b/kernel/classes/datatypes/ezuser/ezuser.php index 5eba4218719..2adac67b8a1 100644 --- a/kernel/classes/datatypes/ezuser/ezuser.php +++ b/kernel/classes/datatypes/ezuser/ezuser.php @@ -17,6 +17,8 @@ class eZUser extends eZPersistentObject { + /// No hash, used by external handlers such as LDAP and TextFile + const PASSWORD_HASH_EMPTY = 0; /// MD5 of password const PASSWORD_HASH_MD5_PASSWORD = 1; /// MD5 of user and password @@ -123,6 +125,10 @@ static function passwordHashTypeName( $id ) { switch ( $id ) { + case self::PASSWORD_HASH_EMPTY: + { + return 'empty'; + } break; case self::PASSWORD_HASH_MD5_PASSWORD: { return 'md5_password'; @@ -161,6 +167,10 @@ static function passwordHashTypeID( $identifier ) { switch ( $identifier ) { + case 'empty': + { + return self::PASSWORD_HASH_EMPTY; + } break; case 'md5_password': { return self::PASSWORD_HASH_MD5_PASSWORD; @@ -305,8 +315,14 @@ function setInformation( $id, $login, $email, $password, $passwordConfirm = fals if ( eZUser::validatePassword( $password ) and $password === $passwordConfirm ) // Cannot change login or password_hash without login and password { - $this->setAttribute( "password_hash", eZUser::createHash( $login, $password, eZUser::site(), - eZUser::hashType() ) ); + if ( eZUser::hashType() !== self::PASSWORD_HASH_EMPTY ) + { + $this->setAttribute( + "password_hash", + eZUser::createHash( $login, $password, eZUser::site(), eZUser::hashType() ) + ); + } + $this->setAttribute( "password_hash_type", eZUser::hashType() ); } else @@ -883,14 +899,15 @@ protected static function _loginUser( $login, $password, $authenticationMatch = } - eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), - $hashType, $hash ), "check hash" ); - eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); // If current user has been disabled after a few failed login attempts. $canLogin = eZUser::isEnabledAfterFailedLogin( $userID ); if ( $exists ) { + eZDebugSetting::writeDebug( 'kernel-user', eZUser::createHash( $userRow['login'], $password, eZUser::site(), + $hashType, $hash ), "check hash" ); + eZDebugSetting::writeDebug( 'kernel-user', $hash, "stored hash" ); + // We should store userID for warning message. $GLOBALS['eZFailedLoginAttemptUserID'] = $userID; @@ -1729,6 +1746,11 @@ static function currentUserID() */ static function authenticateHash( $user, $password, $site, $type, $hash ) { + if ( $user == '' || $password == '' || $type == self::PASSWORD_HASH_EMPTY ) + { + return false; + } + return eZUser::createHash( $user, $password, $site, $type, $hash ) === (string) $hash; } @@ -1877,12 +1899,20 @@ static function createHash( $user, $password, $site, $type, $hash = false ) { $str = password_hash( $password, PASSWORD_DEFAULT ); } - else // self::DEFAULT_PASSWORD_HASH + else { - eZDebug::writeError( "Password hash type ID '$type' is not recognized. " . - 'Defaulting to eZUser::DEFAULT_PASSWORD_HASH.' ); - $str = self::createHash( $user, $password, $site, self::DEFAULT_PASSWORD_HASH, $hash ); + if ( $type == self::PASSWORD_HASH_EMPTY ) + { + eZDebug::writeError( "Cannot create hash of hash type 0 (PASSWORD_HASH_EMPTY)." ); + } + else + { + eZDebug::writeError( "Password hash type ID '$type' is not recognized." ); + } + + return false; } + eZDebugSetting::writeDebug( 'kernel-user', $str, "ezuser($type)" ); return $str; }