From 10a2aa2d8cec3163b6d39208fd9c30a9db7d3bd9 Mon Sep 17 00:00:00 2001
From: christopherm <christopherm@4979c152-3d1c-0410-bac9-87ea11338e46>
Date: Mon, 13 Nov 2006 05:53:45 +0000
Subject: fixing double md5()ing of passwords. User::save_member now assumes
 that a 32 char password that matches the old md5 password means do not change

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@554 4979c152-3d1c-0410-bac9-87ea11338e46
---
 LedgerSMB/User.pm | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

(limited to 'LedgerSMB/User.pm')

diff --git a/LedgerSMB/User.pm b/LedgerSMB/User.pm
index 7eb58a45..4bdb0519 100755
--- a/LedgerSMB/User.pm
+++ b/LedgerSMB/User.pm
@@ -146,6 +146,7 @@ sub fetch_config {
 			$myconfig{'dbport'} = '5432';
 		}
 
+		$myconfig{'login'} = $login;
 		$myconfig{'dbconnect'} = 'dbi:Pg:dbname='.$myconfig{'dbname'}.';host='.$myconfig{'dbhost'}.';port='.$myconfig{'dbport'};
 	}
  
@@ -717,10 +718,10 @@ sub save_member {
 
 	if($userID){
 		#got an id, check to see if it's in the users_conf table
-		my $userConfCheck = $dbh->prepare("SELECT count(*) FROM users_conf WHERE id = ?");
+		my $userConfCheck = $dbh->prepare("SELECT password, 1 FROM users_conf WHERE id = ?");
 		$userConfCheck->execute($userID);
 
-		($userConfExists) = $userConfCheck->fetchrow_array;
+		($oldPassword, $userConfExists) = $userConfCheck->fetchrow_array;
 	}
 	else{
 		my $userConfAdd = $dbh->prepare("SELECT create_user(?);");
@@ -738,7 +739,7 @@ sub save_member {
 												   dbhost = ?, dbname = ?, dboptions = ?, 
 												   dbpasswd = ?, dbport = ?, dbuser = ?,
 												   email = ?, fax = ?, menuwidth = ?,
-												   name = ?, numberformat = ?, password = md5(?),
+												   name = ?, numberformat = ?,
 												   print = ?, printer = ?, role = ?,
 												   sid = ?, signature = ?, stylesheet = ?,
 												   tel = ?, templates = ?, timeout = ?,
@@ -751,13 +752,25 @@ sub save_member {
 								 $self->{dbhost}, $self->{dbname}, $self->{dboptions}, 
 								 $self->{dbpasswd}, $self->{dbport}, $self->{dbuser}, 
 								 $self->{email}, $self->{fax}, $self->{menuwidth},
-								 $self->{name}, $self->{numberformat}, $self->{password}, 
+								 $self->{name}, $self->{numberformat}, 
 								 $self->{print}, $self->{printer}, $self->{role}, 
 								 $self->{sid}, $self->{signature}, $self->{stylesheet},
 								 $self->{tel}, $self->{templates}, $self->{timeout}, 
 								 $self->{vclimit}, $userID);
 	  
 
+		if($oldPassword ne $self->{password}){
+			# if they're supplying a 32 char password that matches their old password
+			# assume they don't want to change passwords
+
+			$userConfUpdate = $dbh->prepare("UPDATE users_conf
+												SET password = md5(?)
+											  WHERE id = ?");
+
+			$userConfUpdate->execute($self->{password}, $userID);
+
+		}
+
 	}
 	else{
 
-- 
cgit v1.2.3