Das Admin-Passwort nicht im Klartext in Session-Tabelle ablegen

[mfinanz.git] / SL / Auth.pm

diff --git a/SL/Auth.pm b/SL/Auth.pm
index 3ff6a1c3b8bf93493ddda1cce8a2d127af536996..5f3c65dd8abdc2b4e913520420935b3b89e5a611 100644 (file)
--- a/SL/Auth.pm
+++ b/SL/Auth.pm
@@ -137,12 +137,10 @@ sub _read_auth_config {
 sub authenticate_root {
   $main::lxdebug->enter_sub();
 
-  my $self           = shift;
-  my $password       = shift;
-  my $is_crypted     = shift;
+  my ($self, $password) = @_;
 
-  $password          = crypt $password, 'ro' if (!$password || !$is_crypted);
-  my $admin_password = crypt "$self->{admin_password}", 'ro';
+  $password             = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $password);
+  my $admin_password    = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password});
 
   $main::lxdebug->leave_sub();
 
@@ -173,6 +171,15 @@ sub store_credentials_in_session {
   $self->set_session_value(login => $params{login}, password => $params{password});
 }
 
+sub store_root_credentials_in_session {
+  my ($self, $rpw) = @_;
+
+  $rpw = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $rpw)
+    unless $self->{authenticator}->requires_cleartext_password;
+
+  $self->set_session_value(rpw => $rpw);
+}
+
 sub dbconnect {
   $main::lxdebug->enter_sub(2);