Changeset 228

Timestamp:

Jan 10, 2007 8:15:41 AM (17 years ago)

Author:

quinn

Message:

Q - fixed bug in Auth_SQL where a NOTICE log event was raised if user didnt actually set password.

File:

• tags/2.0.2/lib/Auth_SQL.inc.php (modified) (1 diff)

tags/2.0.2/lib/Auth_SQL.inc.php

@@ -730 +730 @@
         $user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
 
+        // Get old password.
+        $qid = DB::query(" 
+            SELECT userpass
+            FROM " . $this->_params['db_table'] . "
+            WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
+        ");
+        if (!list($old_encrypted_password) = mysql_fetch_row($qid)) {
+            App::logMsg(sprintf('Cannot set password for nonexistant user_id %s', $user_id), LOG_NOTICE, __FILE__, __LINE__);
+            return false;
+        }
+        
+        // Compare old with new to ensure we're actually *changing* the password.
+        $encrypted_password = $this->encryptPassword($password);
+        if ($old_encrypted_password == $encrypted_password) {
+            App::logMsg(sprintf('Not setting password: new is the same as old.', null), LOG_INFO, __FILE__, __LINE__);
+            return false;
+        }
+
         // Issue the password change query.
         DB::query("
             UPDATE " . $this->_params['db_table'] . "
-            SET userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
+            SET userpass = '" . DB::escapeString($encrypted_password) . "'
             WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
         ");
         
         if (mysql_affected_rows(DB::getDBH()) != 1) {
-            App::logMsg(sprintf('setPassword failed to update password for user %s', $user_id), LOG_NOTICE, __FILE__, __LINE__);
-        }
+            App::logMsg(sprintf('Failed to update password for user %s', $user_id), LOG_WARNING, __FILE__, __LINE__);
+            return false;
+        }
+
+        return true;
     }