Skip to content

Commit 3878d84

Browse files
mladenbmladenb
committed
Refactor process_login_request 9: Refactor validate_and_fetch_user() method.
1 parent 480b97a commit 3878d84

File tree

1 file changed

+69
-57
lines changed

1 file changed

+69
-57
lines changed

interface/web/login/index.php

Lines changed: 69 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -202,65 +202,77 @@ function validate_and_fetch_user(app $app, $username, $password, $loginAs, $conf
202202
{
203203
if ($loginAs) {
204204
$sql = "SELECT * FROM sys_user WHERE USERNAME = ? and PASSWORT = ?";
205-
$user = $app->db->queryOneRecord($sql, (string)$username, (string)$password);
206-
} else {
207-
if (stristr($username, '@')) {
208-
//* mailuser login
209-
$sql = "SELECT * FROM mail_user WHERE login = ? or email = ?";
210-
$mailuser = $app->db->queryOneRecord($sql, (string)$username, $app->functions->idn_encode($username));
211-
$user = false;
212-
if ($mailuser) {
213-
$saved_password = stripslashes($mailuser['password']);
214-
//* Check if mailuser password is correct
215-
if (crypt(stripslashes($password), $saved_password) == $saved_password) {
216-
//* Get the sys_user language of the client of the mailuser
217-
$sys_user_lang = $app->db->queryOneRecord("SELECT language FROM sys_user WHERE default_group = ?", $mailuser['sys_groupid']);
218-
219-
//* we build a fake user here which has access to the mailuser module only and userid 0
220-
$user = array();
221-
$user['userid'] = 0;
222-
$user['active'] = 1;
223-
$user['startmodule'] = 'mailuser';
224-
$user['modules'] = 'mailuser';
225-
$user['typ'] = 'user';
226-
$user['email'] = $mailuser['email'];
227-
$user['username'] = $username;
228-
if (is_array($sys_user_lang) && $sys_user_lang['language'] != '') {
229-
$user['language'] = $sys_user_lang['language'];
230-
} else {
231-
$user['language'] = $conf['language'];
232-
}
233-
$user['theme'] = $conf['theme'];
234-
$user['app_theme'] = $conf['theme'];
235-
$user['mailuser_id'] = $mailuser['mailuser_id'];
236-
$user['default_group'] = $mailuser['sys_groupid'];
237-
}
238-
}
205+
return $app->db->queryOneRecord($sql, (string)$username, (string)$password);
206+
}
207+
208+
if (stristr($username, '@')) {
209+
//* mailuser login
210+
$sql = "SELECT * FROM mail_user WHERE login = ? or email = ?";
211+
$mailuser = $app->db->queryOneRecord($sql, (string)$username, $app->functions->idn_encode($username));
212+
213+
return $mailuser
214+
? build_fake_user($app, $username, $password, $mailuser, $conf)
215+
: false;
216+
}
217+
218+
//* normal cp user login
219+
$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
220+
$user = $app->db->queryOneRecord($sql, (string)$username);
221+
if (!$user) return false;
222+
223+
$saved_password = stripslashes($user['passwort']);
224+
if (substr($saved_password, 0, 1) == '$') {
225+
//* The password is encrypted with crypt
226+
return crypt(stripslashes($password), $saved_password) == $saved_password
227+
? $user
228+
: false;
229+
}
230+
231+
//* The password is md5 encrypted
232+
if (md5($password) != $saved_password) return false;
233+
234+
// update password with secure algo
235+
$sql = 'UPDATE `sys_user` SET `passwort` = ? WHERE `username` = ?';
236+
$app->db->query($sql, $app->auth->crypt_password($password), (string)$username);
237+
238+
return $user;
239+
}
240+
241+
/**
242+
* @param app $app
243+
* @param $username
244+
* @param $password
245+
* @param array $mailuser
246+
* @param array $user
247+
* @param $conf
248+
* @return array
249+
*/
250+
function build_fake_user(app $app, $username, $password, array $mailuser, $conf)
251+
{
252+
$saved_password = stripslashes($mailuser['password']);
253+
//* Check if mailuser password is correct
254+
if (crypt(stripslashes($password), $saved_password) == $saved_password) {
255+
//* Get the sys_user language of the client of the mailuser
256+
$sys_user_lang = $app->db->queryOneRecord("SELECT language FROM sys_user WHERE default_group = ?", $mailuser['sys_groupid']);
257+
258+
//* we build a fake user here which has access to the mailuser module only and userid 0
259+
$user = array();
260+
$user['userid'] = 0;
261+
$user['active'] = 1;
262+
$user['startmodule'] = 'mailuser';
263+
$user['modules'] = 'mailuser';
264+
$user['typ'] = 'user';
265+
$user['email'] = $mailuser['email'];
266+
$user['username'] = $username;
267+
if (is_array($sys_user_lang) && $sys_user_lang['language'] != '') {
268+
$user['language'] = $sys_user_lang['language'];
239269
} else {
240-
//* normal cp user login
241-
$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
242-
$user = $app->db->queryOneRecord($sql, (string)$username);
243-
if ($user) {
244-
$saved_password = stripslashes($user['passwort']);
245-
if (substr($saved_password, 0, 1) == '$') {
246-
//* The password is encrypted with crypt
247-
if (crypt(stripslashes($password), $saved_password) != $saved_password) {
248-
$user = false;
249-
}
250-
} else {
251-
//* The password is md5 encrypted
252-
if (md5($password) != $saved_password) {
253-
$user = false;
254-
} else {
255-
// update password with secure algo
256-
$sql = 'UPDATE `sys_user` SET `passwort` = ? WHERE `username` = ?';
257-
$app->db->query($sql, $app->auth->crypt_password($password), (string)$username);
258-
}
259-
}
260-
} else {
261-
$user = false;
262-
}
270+
$user['language'] = $conf['language'];
263271
}
272+
$user['theme'] = $conf['theme'];
273+
$user['app_theme'] = $conf['theme'];
274+
$user['mailuser_id'] = $mailuser['mailuser_id'];
275+
$user['default_group'] = $mailuser['sys_groupid'];
264276
}
265277

266278
return $user;

0 commit comments

Comments
 (0)