Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Just update password hash without validating #11568

Merged
merged 1 commit into from
Oct 3, 2018
Merged

Just update password hash without validating #11568

merged 1 commit into from
Oct 3, 2018

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Oct 2, 2018

Fixes #11097

If your password hash changed (becuse your are on 7.2 and we moved to
ARGON2). Then we shold not 'set a new password' but just update the
hash. As else we invoke the password policy again which might lock out
users.

Signed-off-by: Roeland Jago Douma roeland@famdouma.nl

@rullzer rullzer added this to the Nextcloud 15 milestone Oct 2, 2018
ChristophWurst
ChristophWurst reviewed Oct 2, 2018
View reviewed changes
lib/private/User/Database.php Outdated
@@ -314,7 +314,11 @@ public function checkPassword(string $uid, string $password) {
$newHash = '';
if (\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
if (!empty($newHash)) {
$this->setPassword($uid, $password);
$qb = $this->dbConn->getQueryBuilder()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a bool $silent param instead? I'm not a big fan of this duplication.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair enough. Extracted the logic to a function

ChristophWurst
ChristophWurst approved these changes Oct 2, 2018
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better 👍 😄

@rullzer
Just update password hash without validating
0c9a3de 
Fixes #11097

If your password hash changed (becuse your are on 7.2 and we moved to
ARGON2). Then we shold not 'set a new password' but just update the
hash. As else we invoke the password policy again which might lock out
users.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer force-pushed the fix/11097/just_update_password_hash branch from e107585 to 0c9a3de Compare October 2, 2018 22:37
@MorrisJobke MorrisJobke merged commit 213d43f into master Oct 3, 2018
@MorrisJobke MorrisJobke deleted the fix/11097/just_update_password_hash branch October 3, 2018 10:08
@rullzer rullzer mentioned this pull request Oct 3, 2018
Merged
@holta holta mentioned this pull request Oct 3, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug regression
Projects
None yet
Milestone
Nextcloud 15
Development

Successfully merging this pull request may close these issues.
3 participants
@rullzer @MorrisJobke @ChristophWurst