diff --git a/EVENTS.txt b/EVENTS.txt index af686b9cdf..ced130f5f7 100644 --- a/EVENTS.txt +++ b/EVENTS.txt @@ -481,13 +481,15 @@ EndPublicXRDS: End XRDS output (right before the closing XRDS tag) - $action: the current action - &$xrdsoutputter - XRDSOutputter object to write to -CheckPassword: Check a username/password +StartCheckPassword: Check a username/password - $nickname: The nickname to check - $password: The password to check -- &$authenticated: set to true to indicate authentication succeeded. +- &$authenticatedUser: set to User object if credentials match a user. -AutoRegister: Register a new user with the given nickname. Should insert a new User and Profile into the database. -- $nickname: The nickname to register +EndCheckPassword: After checking a username/password pair +- $nickname: The nickname that was checked +- $password: The password that was checked +- $authenticatedUser: User object if credentials match a user, else null. ChangePassword: Handle a password change request - $nickname: user's nickname diff --git a/lib/util.php b/lib/util.php index 65bc6544da..81160d052c 100644 --- a/lib/util.php +++ b/lib/util.php @@ -116,51 +116,26 @@ function common_munge_password($password, $id) } // check if a username exists and has matching password + function common_check_user($nickname, $password) { - $authenticated = false; - $eventResult = Event::handle('CheckPassword', array($nickname, $password, &$authenticated)); - $user = User::staticGet('nickname', $nickname); - if (is_null($user) || $user === false) { - //user does not exist - if($authenticated){ - //a handler said these are valid credentials, so see if a plugin wants to auto register the user - if(Event::handle('AutoRegister', array($nickname))){ - //no handler registered the user - return false; - }else{ - $user = User::staticGet('nickname', $nickname); - if (is_null($user) || $user === false) { - common_log(LOG_WARNING, "A plugin handled the AutoRegister event, but did not actually register the user, nickname: $nickname"); - return false; - }else{ - return $user; - } - } - }else{ - //no handler indicated the credentials were valid, and we know their not valid because the user isn't in the database - return false; - } - } else { - if($eventResult && ! $authenticated){ - //no handler was authoritative - if (mb_strlen($password) == 0) { - // NEVER allow blank passwords, even if they match the DB - return false; - }else{ + $authenticatedUser = false; + + if (Event::handle('StartCheckPassword', array($nickname, $password, &$authenticatedUser))) { + $user = User::staticGet('nickname', $nickname); + if (!empty($user)) { + if (!empty($password)) { // never allow login with blank password if (0 == strcmp(common_munge_password($password, $user->id), $user->password)) { //internal checking passed - $authenticated = true; + $authenticatedUser =& $user; } } } - if($authenticated){ - return $user; - } else { - return false; - } + Event::handle('EndCheckPassword', array($nickname, $password, $authenticatedUser)); } + + return $authenticatedUser; } // is the current user logged in?