summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xLedgerSMB/Form.pm24
-rwxr-xr-xLedgerSMB/Session/DB.pm66
-rwxr-xr-xLedgerSMB/User.pm54
-rwxr-xr-xbin/login.pl1
-rwxr-xr-xmenu.pl9
-rwxr-xr-xsql/Pg-central.sql2
6 files changed, 97 insertions, 59 deletions
diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm
index d514adf7..347f0c78 100755
--- a/LedgerSMB/Form.pm
+++ b/LedgerSMB/Form.pm
@@ -272,8 +272,6 @@ sub header {
$self->{titlebar} = ($self->{title}) ? "$self->{title} - $self->{titlebar}" : $self->{titlebar};
- $self->set_cookie($init);
-
print qq|Content-Type: text/html\n\n
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -295,28 +293,6 @@ sub header {
$self->{header} = 1;
}
-
-sub set_cookie {
-
- my ($self, $init) = @_;
-
- $self->{timeout} = ($self->{timeout} > 0) ? $self->{timeout} : 3600;
- my $t = ($self->{endsession}) ? time : time + $self->{timeout};
-
- if ($ENV{HTTP_USER_AGENT}) {
-
- my @d = split / +/, scalar gmtime($t);
- my $today = "$d[0], $d[2]-$d[1]-$d[4] $d[3] GMT";
-
- if ($init) {
- $self->{sessionid} = time;
- }
-
- print qq|Set-Cookie: LedgerSMB-$self->{login}=$self->{sessionid}; expires=$today; path=/;\n| if $self->{login};
- }
-}
-
-
sub redirect {
my ($self, $msg) = @_;
diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm
index 1f215b13..c38d1de1 100755
--- a/LedgerSMB/Session/DB.pm
+++ b/LedgerSMB/Session/DB.pm
@@ -23,6 +23,9 @@
# create - creates a new session, writes cookie upon success
#
# destroy - destroys session
+#
+# password_check - compares the password with the stored cryted password
+# (ver. < 1.2) and the md5 one (ver. >= 1.2)
#====================================================================
package Session;
@@ -112,8 +115,8 @@ sub session_create {
$deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
- #doing the md5 and random stuff in the db so that LedgerSMB won't
- #require new perl modules (Digest::MD5 and a good random generator)
+ #doing the random stuff in the db so that LedgerSMB won't
+ #require a good random generator - maybe this should be reviewed, pgsql's isn't great either
$fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: ');
my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array;
@@ -134,11 +137,6 @@ sub session_create {
sub session_destroy {
- # Under the current architecture, this function is a bit problematic
- # %myconfig is often not defined when this function needs to be called.
- # which means that the db connection parameters are not available.
- # moving user prefs and the session table into a central db will solve this issue
-
my ($form) = @_;
my $login = $form->{login};
@@ -155,4 +153,58 @@ sub session_destroy {
}
+sub password_check {
+
+ use Digest::MD5;
+
+ my ($form, $username, $password) = @_;
+
+ # use the central database handle
+ my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
+
+ my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+ FROM users as u, users_conf as uc
+ WHERE u.username = ?
+ AND u.id = uc.id;");
+
+ $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
+
+ my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+
+ if ($cryptPassword){
+ #First time login from old system, check crypted password
+
+ if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {
+
+ #password was good, convert to md5 password and null crypted
+ my $updatePassword = $dbh->prepare("UPDATE users_conf
+ SET password = md5(?),
+ crypted_password = null
+ FROM users
+ WHERE users_conf.id = users.id
+ AND users.username = ?;");
+
+ $updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : ');
+
+ return 1;
+
+ } else {
+ return 0; #password failed
+ }
+
+ }elsif ($md5Password){
+
+ if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
+ return 0;
+ }
+ else{
+ return 1;
+ }
+
+ } else {
+ #both the md5Password and cryptPasswords were blank
+ return 0;
+ }
+}
+
1;
diff --git a/LedgerSMB/User.pm b/LedgerSMB/User.pm
index 18f4e8d9..a020affb 100755
--- a/LedgerSMB/User.pm
+++ b/LedgerSMB/User.pm
@@ -33,6 +33,7 @@
package LedgerSMB::User;
use LedgerSMB::Sysconfig;
+use LedgerSMB::Session;
use Data::Dumper;
sub new {
@@ -48,12 +49,12 @@ sub new {
# for now, this is querying the table directly... ugly
my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber,
company, countrycode, currency,
- dateformat, dbconnect, dbdriver,
- dbhost, dbname, dboptions, dbpasswd,
- dbport, dbuser, email, fax, menuwidth,
- name, numberformat, password, print,
- printer, role, sid, signature, stylesheet,
- tel, templates, timeout, vclimit, u.username
+ dateformat, dbdriver, dbhost, dbname,
+ dboptions, dbpasswd, dbport, dbuser,
+ email, fax, menuwidth, name, numberformat,
+ password, print, printer, role, sid,
+ signature, stylesheet, tel, templates,
+ timeout, vclimit, u.username
FROM users_conf as uc, users as u
WHERE u.username = ?
AND u.id = uc.id;");
@@ -66,6 +67,16 @@ sub new {
$self->{$key} = $value;
}
+ chomp($self->{dbport});
+ chomp($self->{dbname});
+ chomp($self->{dbhost});
+
+ if(! int($self->{dbport})){#in case there's a space or junk in the dbport
+ $self->{dbport} = '5432';
+ }
+
+ $self->{dbconnect} = 'dbi:Pg:dbname='.$self->{dbname}.';host='.$self->{dbhost}.';port='.$self->{dbport};
+
if($self->{username}){
$self->{login} = $login;
}
@@ -113,12 +124,12 @@ sub fetch_config {
# for now, this is querying the table directly... ugly
my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber,
company, countrycode, currency,
- dateformat, dbconnect, dbdriver,
- dbhost, dbname, dboptions, dbpasswd,
- dbport, dbuser, email, fax, menuwidth,
- name, numberformat, password, print,
- printer, role, sid, signature, stylesheet,
- tel, templates, timeout, vclimit
+ dateformat, dbdriver, dbhost, dbname,
+ dboptions, dbpasswd, dbport, dbuser,
+ email, fax, menuwidth, name, numberformat,
+ password, print, printer, role, sid,
+ signature, stylesheet, tel, templates,
+ timeout, vclimit, u.username
FROM users_conf as uc, users as u
WHERE u.username = ?
AND u.id = uc.id;");
@@ -130,20 +141,25 @@ sub fetch_config {
while ( my ($key, $value) = each(%{$userHashRef}) ) {
$myconfig{$key} = $value;
}
+
+ if(! int($myconfig{'dbport'})){#in case there's a space or junk in the dbport
+ $myconfig{'dbport'} = '5432';
+ }
+
+ $myconfig{'dbconnect'} = 'dbi:Pg:dbname='.$myconfig{'dbname'}.';host='.$myconfig{'dbhost'}.';port='.$myconfig{'dbport'};
}
return \%myconfig;
}
sub login {
- use Digest::MD5;
my ($self, $form) = @_;
my $rc = -1;
if ($self->{login} ne "") {
- if ($self->{password} ne (Digest::MD5::md5_hex $form->{password}) ) {
+ if (! Session::password_check($form, $form->{login}, $form->{password})) {
return -1;
}
@@ -719,7 +735,7 @@ sub save_member {
my $userConfUpdate = $dbh->prepare("UPDATE users_conf
SET acs = ?, address = ?, businessnumber = ?,
company = ?, countrycode = ?, currency = ?,
- dateformat = ?, dbconnect = ?, dbdriver = ?,
+ dateformat = ?, dbdriver = ?,
dbhost = ?, dbname = ?, dboptions = ?,
dbpasswd = ?, dbport = ?, dbuser = ?,
email = ?, fax = ?, menuwidth = ?,
@@ -732,7 +748,7 @@ sub save_member {
$userConfUpdate->execute($self->{acs}, $self->{address}, $self->{businessnumber},
$self->{company}, $self->{countrycode}, $self->{currency},
- $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver},
+ $self->{dateformat}, $self->{dbdriver},
$self->{dbhost}, $self->{dbname}, $self->{dboptions},
$self->{dbpasswd}, $self->{dbport}, $self->{dbuser},
$self->{email}, $self->{fax}, $self->{menuwidth},
@@ -748,7 +764,7 @@ sub save_member {
my $userConfInsert = $dbh->prepare("INSERT INTO users_conf(acs, address, businessnumber,
company, countrycode, currency,
- dateformat, dbconnect, dbdriver,
+ dateformat, dbdriver,
dbhost, dbname, dboptions, dbpasswd,
dbport, dbuser, email, fax, menuwidth,
name, numberformat, print, printer, role,
@@ -756,11 +772,11 @@ sub save_member {
timeout, vclimit, id, password)
VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
- ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));");
+ ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));");
$userConfInsert->execute($self->{acs}, $self->{address}, $self->{businessnumber},
$self->{company}, $self->{countrycode}, $self->{currency},
- $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver},
+ $self->{dateformat}, $self->{dbdriver},
$self->{dbhost}, $self->{dbname}, $self->{dboptions},
$self->{dbpasswd}, $self->{dbport}, $self->{dbuser},
$self->{email}, $self->{fax}, $self->{menuwidth},
diff --git a/bin/login.pl b/bin/login.pl
index a1f225d8..90de3d48 100755
--- a/bin/login.pl
+++ b/bin/login.pl
@@ -337,6 +337,7 @@ sub login {
}
}
+ Session::session_create($form);
$form->redirect;
}
diff --git a/menu.pl b/menu.pl
index b55144ec..a1166a90 100755
--- a/menu.pl
+++ b/menu.pl
@@ -150,7 +150,6 @@ if ($form->{action}) {
1;
# end
-
sub check_password {
if ($myconfig{password}) {
@@ -158,7 +157,7 @@ sub check_password {
require "bin/pw.pl";
if ($form->{password}) {
- if ($myconfig{password} ne (Digest::MD5::md5_hex $form->{password})) {
+ if (! Session::password_check($form, $form->{login}, $form->{password})) {
if ($ENV{HTTP_USER_AGENT}) {
&getpassword;
} else {
@@ -178,12 +177,6 @@ sub check_password {
$cookie{$name} = $value;
}
- if ($form->{action} ne 'display') {
- if ((! $cookie{"LedgerSMB-$form->{login}"}) || $cookie{"LedgerSMB-$form->{login}"} ne $form->{sessionid}) {
- &getpassword(1);
- exit;
- }
- }
#check for valid session
if(!Session::session_check($cookie{"LedgerSMB"}, $form)){
&getpassword(1);
diff --git a/sql/Pg-central.sql b/sql/Pg-central.sql
index 804bf965..1b9c755b 100755
--- a/sql/Pg-central.sql
+++ b/sql/Pg-central.sql
@@ -14,7 +14,6 @@ CREATE TABLE users_conf(id integer primary key references users(id) deferrable i
countrycode text,
currency text,
dateformat text,
- dbconnect text,
dbdriver text default 'Pg',
dbhost text default 'localhost',
dbname text,
@@ -28,6 +27,7 @@ CREATE TABLE users_conf(id integer primary key references users(id) deferrable i
name text,
numberformat text,
password varchar(32) check(length(password) = 32),
+ crypted_password text,
print text,
printer text,
role text,