From 4ec713be602391eb3c951fc33a28c8555291d209 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20Kr=C3=A4mer?= Date: Tue, 24 Jan 2017 22:03:39 +0100 Subject: [PATCH] Fixes to password validation --- src/Model/Behavior/UserBehavior.php | 25 ++++++++++++++++++++++++- src/Model/UserValidationTrait.php | 10 +++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/src/Model/Behavior/UserBehavior.php b/src/Model/Behavior/UserBehavior.php index f5c0a87..34e0478 100644 --- a/src/Model/Behavior/UserBehavior.php +++ b/src/Model/Behavior/UserBehavior.php @@ -11,6 +11,7 @@ use Burzum\UserTools\Model\PasswordAndTokenTrait; use Burzum\UserTools\Model\UserValidationTrait; +use Cake\Auth\AbstractPasswordHasher; use Cake\Auth\PasswordHasherFactory; use Cake\Core\Configure; use Cake\Datasource\EntityInterface; @@ -67,6 +68,7 @@ class UserBehavior extends Behavior { 'password' => 'password', 'email' => 'email', 'passwordCheck' => 'confirm_password', + 'oldPassword' => 'old_password', 'lastAction' => 'last_action', 'lastLogin' => 'last_login', 'role' => 'role', @@ -202,7 +204,7 @@ public function updateLastActivity($userId = null, $field = 'last_action', $opti * @return string Hash */ public function hashPassword($password) { - return $this->passwordHasher()->hash($password); + return $this->getPasswordHasher()->hash($password); } /** @@ -681,8 +683,29 @@ public function sendNewPassword($email, $options = []) { * * @return \Cake\Auth\AbstractPasswordHasher Password hasher instance * @throws \RuntimeException If password hasher class not found or it does not extend AbstractPasswordHasher + * @deprecated Use getPasswordHasher() instead */ public function passwordHasher() { + return $this->getPasswordHasher(); + } + + /** + * Sets a password hasher object + * + * @param \Cake\Auth\AbstractPasswordHasher $passwordHasher + * @return void + */ + public function setPasswordHasher(AbstractPasswordHasher $passwordHasher) { + $this->_passwordHasher = $passwordHasher; + } + + /** + * Return password hasher object + * + * @return \Cake\Auth\AbstractPasswordHasher Password hasher instance + * @throws \RuntimeException If password hasher class not found or it does not extend AbstractPasswordHasher + */ + public function getPasswordHasher() { if ($this->_passwordHasher) { return $this->_passwordHasher; } diff --git a/src/Model/UserValidationTrait.php b/src/Model/UserValidationTrait.php index 4a718f7..fbe4ea8 100644 --- a/src/Model/UserValidationTrait.php +++ b/src/Model/UserValidationTrait.php @@ -148,7 +148,7 @@ public function validationConfirmPassword(Validator $validator) { * * @param \Cake\Validation\Validator $validator * @return \Cake\Validation\Validator - * @see Burzum\UserTools\Controller\Component\UserToolComponent::requestPassword() + * @see \Burzum\UserTools\Controller\Component\UserToolComponent::requestPassword() */ public function validationRequestPassword(Validator $validator) { $validator = $this->_table->validationDefault($validator); @@ -195,6 +195,9 @@ protected function validationOldPassword($validator) { /** * Validation method for the old password. * + * This method will hash the old password and compare it to the stored hash + * in the database. You don't have to hash it manually before validating. + * * @param mixed $value * @param string $field * @param mixed $context @@ -207,7 +210,7 @@ public function validateOldPassword($value, $field, $context) { $result = $this->_table->find() ->select([ - $this->_field('password') + $this->_table->aliasField($field) ]) ->where([ $this->_table->primaryKey() => $context['data'][$this->_table->primaryKey()], @@ -217,7 +220,8 @@ public function validateOldPassword($value, $field, $context) { if (!$result) { return false; } - return $this->passwordHasher()->check($value, $result->password); + + return $this->getPasswordHasher()->check($value, $result->get($field)); } /**