[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 01/04: Security : improve password check remo
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 01/04: Security : improve password check remove user->pass which was redundant with user->password |
|
Date: |
Fri, 24 Dec 2021 08:49:39 -0500 (EST) |
sparkyx pushed a commit to branch devel
in repository noalyss.
commit a5ae681bc89a10cf03407d74bc4003e2060d06a7
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Wed Dec 15 19:58:35 2021 +0100
Security : improve password check
remove user->pass which was redundant with user->password
---
include/ajax/ajax_preference.php | 60 ++++++++++++++++++--------------
include/class/user.class.php | 65 +++++++++++++++++++----------------
unit-test/include/class/user.Test.php | 21 ++++++++++-
3 files changed, 91 insertions(+), 55 deletions(-)
diff --git a/include/ajax/ajax_preference.php b/include/ajax/ajax_preference.php
index d986073..551e7b0 100644
--- a/include/ajax/ajax_preference.php
+++ b/include/ajax/ajax_preference.php
@@ -138,29 +138,7 @@ if ( $action == 'display_form' )
<?=$exercice->select("exercice_setting",$selected_exercice,$js)->input();?>
</td>
</tr>
- <tr>
- <td>
- <?=_("Premier jour semaine")?>
- </td>
- <td>
- <?php
- $aFirstDay=array(
- ["label"=>_("Lundi"),"value"=>1],
- ["label"=>_("Mardi"),"value"=>2],
- ["label"=>_("Mercredi"),"value"=>3],
- ["label"=>_("Jeudi"),"value"=>4],
- ["label"=>_("Vendredi"),"value"=>5],
- ["label"=>_("Samedi"),"value"=>6],
- ["label"=>_("Dimanche"),"value"=>0],
- );
- $selFirstDay=new ISelect("selFirstDay");
- $selFirstDay->value=$aFirstDay;
- $selFirstDay->selected=$g_user->get_first_week_day();
- echo $selFirstDay->input();
- ?>
-
- </td>
- </tr>
+
<tr>
<td><?php echo _('PĂ©riode');?></td>
@@ -190,6 +168,29 @@ if ( $action == 'display_form' )
<?php
}
?>
+ <tr>
+ <td>
+ <?=_("Premier jour semaine")?>
+ </td>
+ <td>
+ <?php
+ $aFirstDay=array(
+ ["label"=>_("Lundi"),"value"=>1],
+ ["label"=>_("Mardi"),"value"=>2],
+ ["label"=>_("Mercredi"),"value"=>3],
+ ["label"=>_("Jeudi"),"value"=>4],
+ ["label"=>_("Vendredi"),"value"=>5],
+ ["label"=>_("Samedi"),"value"=>6],
+ ["label"=>_("Dimanche"),"value"=>0],
+ );
+ $selFirstDay=new ISelect("selFirstDay");
+ $selFirstDay->value=$aFirstDay;
+ $selFirstDay->selected=$g_user->get_first_week_day();
+ echo $selFirstDay->input();
+ ?>
+
+ </td>
+ </tr>
</table>
</fieldset>
<fieldset>
@@ -323,7 +324,16 @@ if ($action == 'save')
if (strlen(trim($pass_1)) != 0 && strlen(trim($pass_2)) != 0)
{
- $g_user->save_password($pass_1,$pass_2);
+ if ( $g_user->save_password($_POST['pass_1'],$pass_2) )
+ { $g_user->password_to_session() ;
+
+ } else {
+ /**
+ * password not changed
+ */
+
+ }
+
}
if ( $inside_dossier)
@@ -355,4 +365,4 @@ if ($action == 'save')
}
json_response(["style"=>$style]);
-}
\ No newline at end of file
+}
diff --git a/include/class/user.class.php b/include/class/user.class.php
index 9dbf40d..838b324 100644
--- a/include/class/user.class.php
+++ b/include/class/user.class.php
@@ -75,7 +75,7 @@ class User
if ($user_login!=""&&$user_password!="")
{
$_SESSION[SESSION_KEY."g_user"]=$user_login;
- $_SESSION[SESSION_KEY."g_pass"]=$user_password;
+ $_SESSION[SESSION_KEY."g_pass"]=md5($user_password);
}
else
{
@@ -100,7 +100,7 @@ class User
$_SESSION[SESSION_KEY.'g_user']=$this->login;
}
$this->login=$_SESSION[SESSION_KEY."g_user"];
- $this->pass=$_SESSION[SESSION_KEY.'g_pass'];
+ $this->password=$_SESSION[SESSION_KEY.'g_pass'];
$this->id=-1;
$this->lang=(isset($_SESSION[SESSION_KEY.'g_lang']))?$_SESSION[SESSION_KEY.'g_lang']:'fr_FR.utf8';
$this->access_mode=$_SESSION[SESSION_KEY."access_mode"];
@@ -164,22 +164,6 @@ class User
}
/**
- * @return default|mixed|string|string[]|null
- */
- public function getPass()
- {
- return $this->pass;
- }
-
- /**
- * @param default|mixed|string|string[]|null $pass
- */
- public function setPass($pass): void
- {
- $this->pass=$pass;
- }
-
- /**
* @return mixed
*/
public function getDb()
@@ -375,7 +359,8 @@ class User
,use_active=$3,use_admin=$4,use_pass=$5 ,use_email = $7 where
use_id=$6";
$cn=new Database();
$Res=$cn->exec_sql($Sql,
- array($this->first_name, $this->last_name, $this->active,
$this->admin, $this->pass, $this->id, $this->email));
+ array($this->first_name, $this->last_name, $this->active,
$this->admin, $this->password,
+ $this->id, $this->email));
}
function insert()
@@ -388,7 +373,8 @@ class User
$cn=new Database();
$this->id=$cn->get_value($Sql,
- array($this->first_name, $this->last_name, $this->login, 1,
$this->admin, $this->pass, $this->email));
+ array($this->first_name, $this->last_name, $this->login, 1,
$this->admin,
+ $this->password, $this->email));
}
/**
@@ -402,7 +388,7 @@ class User
{
$res=0;
- $pass5=md5($this->pass);
+ $pass5=$this->password;
$cn=new Database();
$sql="select ac_users.use_login,ac_users.use_active, ac_users.use_pass,
@@ -650,7 +636,7 @@ class User
function isAdmin()
{
$this->admin=0;
- $pass5=md5($this->pass);
+ $pass5=md5($this->password);
$sql="select count(*) from ac_users where use_login=$1
and use_active=1 and use_admin=1 ";
@@ -960,7 +946,14 @@ class User
else
{
$value=($p_value=="")?$default_parameter[$p_type]:$p_value;
- $cn->exec_sql($sql, array($this->login, $p_type, $value));
+ if ( $cn->get_value("select count(*) from user_global_pref where
user_id=$1 and parameter_type=$2",
+ array($this->login,$p_type)) == 1)
+ {
+ $cn->exec_sql("update user_global_pref set parameter_value=$1
where user_id=$2 and parameter_type=$3",
+ array($value,$this->login,$p_type));
+ } else {
+ $cn->exec_sql($sql, array($this->login, $p_type, $value));
+ }
}
}
@@ -1575,20 +1568,34 @@ class User
return false;
return true;
}
-
+ /**
+ * @brief store the password in session
+ */
+ function password_to_session()
+ {
+ $_SESSION[SESSION_KEY.'g_pass']=$this->getPassword();
+ }
+ /**
+ * @brief Save the password of the current user
+ * @param string $p_pass1 password (clear)
+ * @param string $p_pass2 for confirming password (clear)
+ * @return true : password successfully changed otherwise false
+ */
function save_password($p_pass1, $p_pass2)
{
if ($p_pass1==$p_pass2)
{
$repo=new Database();
- $l_pass=md5($_POST['pass_1']);
+ $l_pass=md5($p_pass1);
+ $this->setPassword($l_pass);
$repo->exec_sql("update ac_users set use_pass=$1 where
use_login=$2",
- array($l_pass, $_SESSION[SESSION_KEY.'g_user']));
- $_SESSION[SESSION_KEY.'g_pass']=$_POST['pass_1'];
+ array($l_pass, $this->login));
+ return true;
}
else
{
- alert(_("Les mots de passe ne correspondent pas. Mot de passe
inchangé"));
+
+ return false;
}
}
@@ -1806,4 +1813,4 @@ class User
}
}
-?>
\ No newline at end of file
+?>
diff --git a/unit-test/include/class/user.Test.php
b/unit-test/include/class/user.Test.php
index 0e98279..d1623e3 100644
--- a/unit-test/include/class/user.Test.php
+++ b/unit-test/include/class/user.Test.php
@@ -6,7 +6,7 @@ define('USE_FIRST_NAME', 'Unit test');
define('USE_NAME', 'UNIT');
define('USE_LOGIN', 'unit-test');
define('USE_ACTIVE', 1);
-define('USE_PASS', 'passord');
+define('USE_PASS', md5('password'));
define('USE_ADMIN', 0);
define('USE_EMAIL', 'none@dev.null.eu');
@@ -142,4 +142,23 @@ class UserTest extends TestCase
$this->object->set_periode($p_id);
$this->assertEquals($p_id,$this->object->get_periode(),"Cannot
retrieve the right periode");
}
+ /**
+ * @brief test the save_password function
+ */
+ public function testSave_Password()
+ {
+ // password is in MD5
+ $old_password=$this->object->getPassword();
+ $this->assertEquals(USE_PASS,$old_password,"Password mismatch");
+
+
$this->assertFalse($this->object->save_password("test1","test2"),"Passwords
must be identical");
+
$this->assertTrue($this->object->save_password("test2","test2"),"Identical
passwords seen as different");
+ $this->object->load();
+ $new_password = $this->object->getPassword();
+ $this->assertTrue(($old_password != $new_password),"Password not
changed old=$old_password new=$new_password");
+
$this->assertTrue($new_password=='ad0234829205b9033196ba818f7a872b',"Password
incorrect");
+
+
+
+ }
}