2 // +----------------------------------------------------------------------+
3 // | Anuko Time Tracker
4 // +----------------------------------------------------------------------+
5 // | Copyright (c) Anuko International Ltd. (https://www.anuko.com)
6 // +----------------------------------------------------------------------+
7 // | LIBERAL FREEWARE LICENSE: This source code document may be used
8 // | by anyone for any purpose, and freely redistributed alone or in
9 // | combination with other software, provided that the license is obeyed.
11 // | There are only two ways to violate the license:
13 // | 1. To redistribute this code in source form, with the copyright
14 // | notice or license removed or altered. (Distributing in compiled
15 // | forms without embedded copyright notices is permitted).
17 // | 2. To redistribute modified versions of this code in *any* form
18 // | that bears insufficient indications that the modifications are
19 // | not the work of the original author(s).
21 // | This license applies to this document only, not any other software
22 // | that it may be combined with.
24 // +----------------------------------------------------------------------+
26 // | https://www.anuko.com/content/time_tracker/open_source/credits.htm
27 // +----------------------------------------------------------------------+
30 * Auth_db class is used to authenticate users against internal DB
31 * @package TimeTracker
33 class Auth_db extends Auth {
36 * Authenticate user against internal users DB
38 * @param string $login
39 * @param string $password
42 function authenticate($login, $password)
44 $mdb2 = getConnection();
46 // Try md5 password match first.
47 $sql = "SELECT id FROM tt_users".
48 " WHERE login = ".$mdb2->quote($login)." AND password = md5(".$mdb2->quote($password).") AND status = 1";
50 $res = $mdb2->query($sql);
51 if (is_a($res, 'PEAR_Error')) {
52 die($res->getMessage());
55 $val = $res->fetchRow();
57 return array('login'=>$login,'id'=>$val['id']);
59 // If the OLD_PASSWORDS option is defined - set it.
60 if (isTrue(OLD_PASSWORDS)) {
61 $sql = "SET SESSION old_passwords = 1";
62 $res = $mdb2->query($sql);
63 if (is_a($res, 'PEAR_Error')) {
64 die($res->getMessage());
67 // Try legacy password match. This is needed for compatibility with older versions of TT.
68 $sql = "SELECT id FROM tt_users
69 WHERE login = ".$mdb2->quote($login)." AND password = old_password(".$mdb2->quote($password).") AND status = 1";
70 $res = $mdb2->query($sql);
71 if (is_a($res, 'PEAR_Error')) {
72 return false; // Simply return false for a meaningful error message on screen, see the comment below.
73 // die($res->getMessage()); // old_password() function is removed in MySQL 5.7.5.
74 // We are getting a confusing "MDB2 Error: not found" in this case if we die.
75 // TODO: perhaps it's time to simplify things and remove handling of old passwords completely.
76 // HOWEVER: some users apparently never change their passwords. When I tried removing OLD_PASSWORDS
77 // support in November 2018, there were login issues with such users.
79 $val = $res->fetchRow();
81 return array('login'=>$login,'id'=>$val['id']);
85 // Special handling for admin@localhost - search for an account with admin role with a matching password.
86 if ($login == 'admin@localhost') {
87 $sql = "SELECT u.id, u.login FROM tt_users u".
88 " LEFT JOIN tt_roles r on (u.role_id = r.id)".
89 " WHERE r.rank = 1024 AND password = md5(".$mdb2->quote($password).") AND u.status = 1";
90 $res = $mdb2->query($sql);
91 if (is_a($res, 'PEAR_Error')) {
92 die($res->getMessage());
94 $val = $res->fetchRow();
96 return array('login'=>$val['login'],'id'=>$val['id']);
103 function isPasswordExternal() {
projects / timetracker.git / blob