[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SF.net SVN: ledger-smb: [520] trunk



Revision: 520
          http://svn.sourceforge.net/ledger-smb/?rev=520&view=rev
Author:   christopherm
Date:     2006-11-11 21:34:09 -0800 (Sat, 11 Nov 2006)

Log Message:
-----------
creating a central Session::password_check which will allow for an upgrade from crypted passwords to md5. Fixing session timeout problem for first login. Removing some old cruft (set_cookie and more). Changing central db users_conf to remove dbconnect (which will now be generated) and to add crypted_password (which will eventually be removed).

Modified Paths:
--------------
    trunk/LedgerSMB/Form.pm
    trunk/LedgerSMB/Session/DB.pm
    trunk/LedgerSMB/User.pm
    trunk/bin/login.pl
    trunk/menu.pl
    trunk/sql/Pg-central.sql

Modified: trunk/LedgerSMB/Form.pm
===================================================================
--- trunk/LedgerSMB/Form.pm	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/LedgerSMB/Form.pm	2006-11-12 05:34:09 UTC (rev 520)
@@ -272,8 +272,6 @@
 
 		$self->{titlebar} = ($self->{title}) ? "$self->{title} - $self->{titlebar}" : $self->{titlebar};
 
-		$self->set_cookie($init);
-
 		print qq|Content-Type: text/html\n\n
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 		"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
@@ -295,28 +293,6 @@
 	$self->{header} = 1;
 }
 
-
-sub set_cookie {
-
-	my ($self, $init) = @_;
-
-	$self->{timeout} = ($self->{timeout} > 0) ? $self->{timeout} : 3600;
-	my $t = ($self->{endsession}) ? time : time + $self->{timeout};
-
-	if ($ENV{HTTP_USER_AGENT}) {
-
-		my @d = split / +/, scalar gmtime($t);
-		my $today = "$d[0], $d[2]-$d[1]-$d[4] $d[3] GMT";
-
-		if ($init) {
-			$self->{sessionid} = time;
-		}
-
-		print qq|Set-Cookie: LedgerSMB-$self->{login}=$self->{sessionid}; expires=$today; path=/;\n| if $self->{login};
-	}
-}
-
-
 sub redirect {
 
 	my ($self, $msg) = @_;

Modified: trunk/LedgerSMB/Session/DB.pm
===================================================================
--- trunk/LedgerSMB/Session/DB.pm	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/LedgerSMB/Session/DB.pm	2006-11-12 05:34:09 UTC (rev 520)
@@ -23,6 +23,9 @@
 # create - creates a new session, writes cookie upon success
 #
 # destroy - destroys session
+#
+# password_check - compares the password with the stored cryted password 
+#                  (ver. < 1.2) and the md5 one (ver. >= 1.2)
 #====================================================================
 package Session;
 
@@ -112,8 +115,8 @@
 
 	$deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
 
-	#doing the md5 and random stuff in the db so that LedgerSMB won't
-	#require new perl modules (Digest::MD5 and a good random generator)
+	#doing the random stuff in the db so that LedgerSMB won't
+	#require a good random generator - maybe this should be reviewed, pgsql's isn't great either
 	$fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: ');
 	my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array;
 
@@ -134,11 +137,6 @@
 
 sub session_destroy {
 
-	# Under the current architecture, this function is a bit problematic
-	# %myconfig is often not defined when this function needs to be called.
-	# which means that the db connection parameters are not available.
-	# moving user prefs and the session table into a central db will solve this issue
-
 	my ($form) = @_;
 
 	my $login = $form->{login};
@@ -155,4 +153,58 @@
 
 }
 
+sub password_check {
+
+	use Digest::MD5;
+
+	my ($form, $username, $password) = @_;
+
+	# use the central database handle
+	my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
+
+	my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+										 FROM users as u, users_conf as uc
+										WHERE u.username = ?
+										  AND u.id = uc.id;");
+
+	$fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
+
+	my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+
+	if ($cryptPassword){
+		#First time login from old system, check crypted password
+
+		if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {	
+
+			#password was good, convert to md5 password and null crypted
+			my $updatePassword = $dbh->prepare("UPDATE users_conf
+												   SET password = md5(?),
+													   crypted_password = null
+												  FROM users
+												 WHERE users_conf.id = users.id
+												   AND users.username = ?;");
+
+			$updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : ');
+
+			return 1;
+
+		} else {
+			return 0; #password failed
+		}
+
+	}elsif ($md5Password){
+
+		if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
+			return 0;
+		}
+		else{
+			return 1;
+		}
+	
+	} else {
+		#both the md5Password and cryptPasswords were blank
+		return 0;
+	}
+}
+
 1;

Modified: trunk/LedgerSMB/User.pm
===================================================================
--- trunk/LedgerSMB/User.pm	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/LedgerSMB/User.pm	2006-11-12 05:34:09 UTC (rev 520)
@@ -33,6 +33,7 @@
 
 package LedgerSMB::User;
 use LedgerSMB::Sysconfig;
+use LedgerSMB::Session;
 use Data::Dumper; 
 
 sub new {
@@ -48,12 +49,12 @@
 		# for now, this is querying the table directly... ugly 
 		my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber,
 												   company, countrycode, currency,
-												   dateformat, dbconnect, dbdriver,
-												   dbhost, dbname, dboptions, dbpasswd,
-												   dbport, dbuser, email, fax, menuwidth,
-												   name, numberformat, password, print,
-												   printer, role, sid, signature, stylesheet,
-												   tel, templates, timeout, vclimit, u.username
+												   dateformat, dbdriver, dbhost, dbname, 
+												   dboptions, dbpasswd, dbport, dbuser, 
+												   email, fax, menuwidth, name, numberformat, 
+												   password, print, printer, role, sid, 
+												   signature, stylesheet, tel, templates, 
+												   timeout, vclimit, u.username
 											  FROM users_conf as uc, users as u
 											 WHERE u.username =  ?
 											   AND u.id = uc.id;");
@@ -66,6 +67,16 @@
 			$self->{$key} = $value;
 		}
 
+		chomp($self->{dbport});
+		chomp($self->{dbname});
+		chomp($self->{dbhost});
+
+		if(! int($self->{dbport})){#in case there's a space or junk in the dbport
+			$self->{dbport} = '5432';
+		}
+
+		$self->{dbconnect} = 'dbi:Pg:dbname='.$self->{dbname}.';host='.$self->{dbhost}.';port='.$self->{dbport};
+
 		if($self->{username}){
 			$self->{login} = $login;
 		}
@@ -113,12 +124,12 @@
 		# for now, this is querying the table directly... ugly 
 		my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber,
 												   company, countrycode, currency,
-												   dateformat, dbconnect, dbdriver,
-												   dbhost, dbname, dboptions, dbpasswd,
-												   dbport, dbuser, email, fax, menuwidth,
-												   name, numberformat, password, print,
-												   printer, role, sid, signature, stylesheet,
-												   tel, templates, timeout, vclimit
+												   dateformat, dbdriver, dbhost, dbname, 
+												   dboptions, dbpasswd, dbport, dbuser, 
+												   email, fax, menuwidth, name, numberformat, 
+												   password, print, printer, role, sid, 
+												   signature, stylesheet, tel, templates, 
+												   timeout, vclimit, u.username
 											  FROM users_conf as uc, users as u
 											 WHERE u.username =  ?
 											   AND u.id = uc.id;");
@@ -130,20 +141,25 @@
 		while ( my ($key, $value) = each(%{$userHashRef}) ) {
 			$myconfig{$key} = $value;
 		}
+
+		if(! int($myconfig{'dbport'})){#in case there's a space or junk in the dbport
+			$myconfig{'dbport'} = '5432';
+		}
+
+		$myconfig{'dbconnect'} = 'dbi:Pg:dbname='.$myconfig{'dbname'}.';host='.$myconfig{'dbhost'}.';port='.$myconfig{'dbport'};
 	}
  
 	return \%myconfig;
 }
 
 sub login {
-	use Digest::MD5;
 
 	my ($self, $form) = @_;
 
 	my $rc = -1;
   
 	if ($self->{login} ne "") {
-		if ($self->{password} ne (Digest::MD5::md5_hex $form->{password}) ) {
+		if (! Session::password_check($form, $form->{login}, $form->{password})) {
 			return -1;
 		}
 
@@ -719,7 +735,7 @@
 		my $userConfUpdate = $dbh->prepare("UPDATE users_conf
 											   SET acs = ?, address = ?, businessnumber = ?,
 												   company = ?, countrycode = ?, currency = ?,
-												   dateformat = ?, dbconnect = ?, dbdriver = ?,
+												   dateformat = ?, dbdriver = ?,
 												   dbhost = ?, dbname = ?, dboptions = ?, 
 												   dbpasswd = ?, dbport = ?, dbuser = ?,
 												   email = ?, fax = ?, menuwidth = ?,
@@ -732,7 +748,7 @@
 
 		$userConfUpdate->execute($self->{acs}, $self->{address}, $self->{businessnumber},
 								 $self->{company}, $self->{countrycode}, $self->{currency},
-								 $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver},
+								 $self->{dateformat}, $self->{dbdriver},
 								 $self->{dbhost}, $self->{dbname}, $self->{dboptions}, 
 								 $self->{dbpasswd}, $self->{dbport}, $self->{dbuser}, 
 								 $self->{email}, $self->{fax}, $self->{menuwidth},
@@ -748,7 +764,7 @@
 
 		my $userConfInsert = $dbh->prepare("INSERT INTO users_conf(acs, address, businessnumber,
 																   company, countrycode, currency,
-																   dateformat, dbconnect, dbdriver,
+																   dateformat, dbdriver,
 																   dbhost, dbname, dboptions, dbpasswd,
 																   dbport, dbuser, email, fax, menuwidth,
 																   name, numberformat, print, printer, role, 
@@ -756,11 +772,11 @@
 																   timeout, vclimit, id, password)
 											VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
 												   ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
-												   ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));");
+												   ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));");
 
 		$userConfInsert->execute($self->{acs}, $self->{address}, $self->{businessnumber},
 								 $self->{company}, $self->{countrycode}, $self->{currency},
-								 $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver},
+								 $self->{dateformat}, $self->{dbdriver},
 								 $self->{dbhost}, $self->{dbname}, $self->{dboptions}, 
 								 $self->{dbpasswd}, $self->{dbport}, $self->{dbuser}, 
 								 $self->{email}, $self->{fax}, $self->{menuwidth},

Modified: trunk/bin/login.pl
===================================================================
--- trunk/bin/login.pl	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/bin/login.pl	2006-11-12 05:34:09 UTC (rev 520)
@@ -337,6 +337,7 @@
 		}
 	}
 
+	Session::session_create($form);
 	$form->redirect;
 
 }

Modified: trunk/menu.pl
===================================================================
--- trunk/menu.pl	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/menu.pl	2006-11-12 05:34:09 UTC (rev 520)
@@ -150,7 +150,6 @@
 1;
 # end
 
-
 sub check_password {
   
 	if ($myconfig{password}) {
@@ -158,7 +157,7 @@
 		require "bin/pw.pl";
 
 		if ($form->{password}) {
-			if ($myconfig{password} ne (Digest::MD5::md5_hex $form->{password})) {
+			if (! Session::password_check($form, $form->{login}, $form->{password})) {
 				if ($ENV{HTTP_USER_AGENT}) {
 					&getpassword;
 				} else {
@@ -178,12 +177,6 @@
 					$cookie{$name} = $value;
 				}
 
-				if ($form->{action} ne 'display') {
-					if ((! $cookie{"LedgerSMB-$form->{login}"}) || $cookie{"LedgerSMB-$form->{login}"} ne $form->{sessionid}) {
-						&getpassword(1);
-						exit;
-					}
-				}
 				#check for valid session
 				if(!Session::session_check($cookie{"LedgerSMB"}, $form)){
 					&getpassword(1);

Modified: trunk/sql/Pg-central.sql
===================================================================
--- trunk/sql/Pg-central.sql	2006-11-12 04:41:54 UTC (rev 519)
+++ trunk/sql/Pg-central.sql	2006-11-12 05:34:09 UTC (rev 520)
@@ -14,7 +14,6 @@
                         countrycode text,
                         currency text,
                         dateformat text,
-                        dbconnect text,
                         dbdriver text default 'Pg',
                         dbhost text default 'localhost',
                         dbname text,
@@ -28,6 +27,7 @@
                         name text,
                         numberformat text,
                         password varchar(32) check(length(password) = 32),
+						crypted_password text,
                         print text,
                         printer text,
                         role text,


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.