diff options
Diffstat (limited to 'classes/pref')
-rw-r--r-- | classes/pref/prefs.php | 24 | ||||
-rw-r--r-- | classes/pref/users.php | 22 |
2 files changed, 11 insertions, 35 deletions
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 5fe4f1bbf..f61f0f038 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -1038,19 +1038,6 @@ class Pref_Prefs extends Handler_Protected { } } - static function _is_default_password() { - $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); - - if ($authenticator && - method_exists($authenticator, "check_password") && - $authenticator->check_password($_SESSION["uid"], "password")) { - - return true; - } - - return false; - } - function otpdisable() { $password = clean($_REQUEST["password"]); @@ -1404,12 +1391,6 @@ class Pref_Prefs extends Handler_Protected { <?php } - private function _encrypt_app_password($password) { - $salt = substr(bin2hex(get_random_bytes(24)), 0, 24); - - return "SSHA-512:".hash('sha512', $salt . $password). ":$salt"; - } - function deleteAppPassword() { $ids = explode(",", clean($_REQUEST['ids'])); $ids_qmarks = arr_qmarks($ids); @@ -1423,7 +1404,8 @@ class Pref_Prefs extends Handler_Protected { function generateAppPassword() { $title = clean($_REQUEST['title']); $new_password = make_password(16); - $new_password_hash = $this->_encrypt_app_password($new_password); + $new_salt = UserHelper::get_salt(); + $new_password_hash = UserHelper::hash_password($new_password, $new_salt, UserHelper::HASH_ALGOS[0]); print_warning(T_sprintf("Generated password <strong>%s</strong> for %s. Please remember it for future reference.", $new_password, $title)); @@ -1432,7 +1414,7 @@ class Pref_Prefs extends Handler_Protected { VALUES (?, ?, ?, NOW(), ?)"); - $sth->execute([$title, $new_password_hash, Auth_Base::AUTH_SERVICE_API, $_SESSION['uid']]); + $sth->execute([$title, "$new_password_hash:$new_salt", Auth_Base::AUTH_SERVICE_API, $_SESSION['uid']]); $this->appPasswordList(); } diff --git a/classes/pref/users.php b/classes/pref/users.php index 13f808cb3..111cabdca 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -107,7 +107,7 @@ class Pref_Users extends Handler_Administrative { function editSave() { $login = clean($_REQUEST["login"]); - $uid = clean($_REQUEST["id"]); + $uid = (int) clean($_REQUEST["id"]); $access_level = (int) clean($_REQUEST["access_level"]); $email = clean($_REQUEST["email"]); $password = clean($_REQUEST["password"]); @@ -118,19 +118,13 @@ class Pref_Users extends Handler_Administrative { // forbid renaming admin if ($uid == 1) $login = "admin"; - if ($password) { - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($password, $salt, true); - $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).", - salt = ".$this->pdo->quote($salt).","; - } else { - $pass_query_part = ""; - } - - $sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = LOWER(?), - access_level = ?, email = ?, otp_enabled = false WHERE id = ?"); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET login = LOWER(?), + access_level = ?, email = ?, otp_enabled = false WHERE id = ?"); $sth->execute([$login, $access_level, $email, $uid]); + if ($password) { + UserHelper::reset_password($uid, false, $password); + } } function remove() { @@ -153,8 +147,8 @@ class Pref_Users extends Handler_Administrative { function add() { $login = clean($_REQUEST["login"]); $tmp_user_pwd = make_password(); - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); + $salt = UserHelper::get_salt(); + $pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt, UserHelper::HASH_ALGOS[0]); if (!$login) return; // no blank usernames |