From 85c00bc9a1008db5099e01efc448480c0339a80e Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Wed, 23 Jan 2013 23:13:02 +0100 Subject: [PATCH] Fixed #69 - all new stored passwords will be crypted. --- Gemfile | 3 --- app/models/user.rb | 29 ++++++++++++++++++++++------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/Gemfile b/Gemfile index dc26dbe13..0d40d3c2a 100644 --- a/Gemfile +++ b/Gemfile @@ -37,9 +37,6 @@ gem 'daemons' gem 'simple-rss' -# To use ActiveModel has_secure_password -# gem 'bcrypt-ruby', '~> 3.0.0' - # e. g. on linux we need a javascript execution # gem 'libv8', '~> 3.11.8' # gem 'execjs' diff --git a/app/models/user.rb b/app/models/user.rb index b8b5f6bd1..46853275b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,7 +1,9 @@ +require 'digest/sha2' + class User < ApplicationModel include Gmaps - before_create :check_name, :check_email, :check_login, :check_image, :check_geo + before_create :check_name, :check_email, :check_login, :check_image, :check_geo, :check_password before_update :check_password, :check_image, :check_geo, :check_email, :check_login has_and_belongs_to_many :groups, :after_add => :cache_update, :after_remove => :cache_update @@ -58,11 +60,15 @@ class User < ApplicationModel end end - # auth ok - if user.password == password - return user + # sha auth check + if user.password =~ /^\{sha2\}/ + crypted = Digest::SHA2.hexdigest( password ) + return user if user.password == "{sha2}#{crypted}" end + # plain auth check + return user if user.password == password + # auth failed return false end @@ -388,12 +394,21 @@ Your #{config.product_name} Team def check_password - # set old password again + # set old password again if not given if self.password == '' || !self.password # get current record - current = User.find(self.id) - self.password = current.password + if self.id + current = User.find(self.id) + self.password = current.password + end + + # create crypted password if not already crypted + else + if self.password !~ /^\{sha2\}/ + crypted = Digest::SHA2.hexdigest( self.password ) + self.password = "{sha2}#{crypted}" + end end end end