From d6a2ba6f349b32b93d303c80ca440c86801a1859 Mon Sep 17 00:00:00 2001 From: Ryan Schmidt Date: Fri, 19 Dec 2008 23:18:44 +0000 Subject: [PATCH] * adding two hooks UserCryptPassword and UserComparePasswords to allow extensions to change how passwords are hashed in the database --- RELEASE-NOTES | 2 ++ docs/hooks.txt | 12 ++++++++++++ includes/User.php | 11 +++++++++++ 3 files changed, 25 insertions(+) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 55fbb7e79f..0eda96bf8f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -236,6 +236,8 @@ The following extensions are migrated into MediaWiki 1.14: * (bug 16459) Use native getElementsByClassName where possible, for better performance in modern browsers * Enable \cancel and \cancelto in texvc (recompile required) +* Added 'UserCryptPassword' and 'UserComparePasswords' hooks to allow extensions to implement + their own password hashing methods. === Bug fixes in 1.14 === diff --git a/docs/hooks.txt b/docs/hooks.txt index 0916bd1337..efb095cf54 100644 --- a/docs/hooks.txt +++ b/docs/hooks.txt @@ -1328,9 +1328,21 @@ $user: User (object) whose permission is being checked 'UserClearNewTalkNotification': called when clearing the "You have new messages!" message, return false to not delete it $user: User (object) that'll clear the message +'UserComparePasswords': called when checking passwords, return false to override the default password checks +&$hash: String of the password hash (from the database) +&$password: String of the plaintext password the user entered +&$userId: Integer of the user's ID or Boolean false if the user ID was not supplied +&$result: If the hook returns false, this Boolean value will be checked to determine if the password was valid + 'UserCreateForm': change to manipulate the login form $template: SimpleTemplate instance for the form +'UserCryptPassword': called when hashing a password, return false to implement your own hashing method +&$password: String of the plaintext password to encrypt +&$salt: String of the password salt or Boolean false if no salt is provided +&$wgPasswordSalt: Boolean of whether the salt is used in the default hashing method +&$hash: If the hook returns false, this String will be used as the hash + 'UserEffectiveGroups': Called in User::getEffectiveGroups() $user: User to get groups for &$groups: Current effective groups diff --git a/includes/User.php b/includes/User.php index 85701e320d..3ae85b1477 100644 --- a/includes/User.php +++ b/includes/User.php @@ -3249,6 +3249,11 @@ class User { static function crypt( $password, $salt = false ) { global $wgPasswordSalt; + $hash = ''; + if( !wfRunHooks( 'UserCryptPassword', array( &$password, &$salt, &$wgPasswordSalt, &$hash ) ) ) { + return $hash; + } + if( $wgPasswordSalt ) { if ( $salt === false ) { $salt = substr( wfGenerateToken(), 0, 8 ); @@ -3271,6 +3276,12 @@ class User { static function comparePasswords( $hash, $password, $userId = false ) { $m = false; $type = substr( $hash, 0, 3 ); + + $result = false; + if( !wfRunHooks( 'UserComparePasswords', array( &$hash, &$password, &$userId, &$result ) ) ) { + return $result; + } + if ( $type == ':A:' ) { # Unsalted return md5( $password ) === substr( $hash, 3 ); -- 2.20.1