summaryrefslogtreecommitdiff
path: root/LedgerSMB/Session
diff options
context:
space:
mode:
Diffstat (limited to 'LedgerSMB/Session')
-rwxr-xr-xLedgerSMB/Session/DB.pm66
1 files changed, 59 insertions, 7 deletions
diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm
index 1f215b13..c38d1de1 100755
--- a/LedgerSMB/Session/DB.pm
+++ b/LedgerSMB/Session/DB.pm
@@ -23,6 +23,9 @@
# create - creates a new session, writes cookie upon success
#
# destroy - destroys session
+#
+# password_check - compares the password with the stored cryted password
+# (ver. < 1.2) and the md5 one (ver. >= 1.2)
#====================================================================
package Session;
@@ -112,8 +115,8 @@ sub session_create {
$deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
- #doing the md5 and random stuff in the db so that LedgerSMB won't
- #require new perl modules (Digest::MD5 and a good random generator)
+ #doing the random stuff in the db so that LedgerSMB won't
+ #require a good random generator - maybe this should be reviewed, pgsql's isn't great either
$fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: ');
my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array;
@@ -134,11 +137,6 @@ sub session_create {
sub session_destroy {
- # Under the current architecture, this function is a bit problematic
- # %myconfig is often not defined when this function needs to be called.
- # which means that the db connection parameters are not available.
- # moving user prefs and the session table into a central db will solve this issue
-
my ($form) = @_;
my $login = $form->{login};
@@ -155,4 +153,58 @@ sub session_destroy {
}
+sub password_check {
+
+ use Digest::MD5;
+
+ my ($form, $username, $password) = @_;
+
+ # use the central database handle
+ my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
+
+ my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+ FROM users as u, users_conf as uc
+ WHERE u.username = ?
+ AND u.id = uc.id;");
+
+ $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
+
+ my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+
+ if ($cryptPassword){
+ #First time login from old system, check crypted password
+
+ if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {
+
+ #password was good, convert to md5 password and null crypted
+ my $updatePassword = $dbh->prepare("UPDATE users_conf
+ SET password = md5(?),
+ crypted_password = null
+ FROM users
+ WHERE users_conf.id = users.id
+ AND users.username = ?;");
+
+ $updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : ');
+
+ return 1;
+
+ } else {
+ return 0; #password failed
+ }
+
+ }elsif ($md5Password){
+
+ if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
+ return 0;
+ }
+ else{
+ return 1;
+ }
+
+ } else {
+ #both the md5Password and cryptPasswords were blank
+ return 0;
+ }
+}
+
1;