r44815 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r44814‎ \| r44815 \| r44816 >
Date:	23:18, 19 December 2008
Author:	skizzerz
Status:	ok
Tags:
Comment:	* adding two hooks UserCryptPassword and UserComparePasswords to allow extensions to change how passwords are hashed in the database
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/docs/hooks.txt (modified) (history) /trunk/phase3/includes/User.php (modified) (history)

Diff [purge]

Index: trunk/phase3/docs/hooks.txt
—	—	@@ -1328,9 +1328,21 @@
1329	1329	'UserClearNewTalkNotification': called when clearing the "You have new messages!" message, return false to not delete it
1330	1330	$user: User (object) that'll clear the message
1331	1331
	1332	+'UserComparePasswords': called when checking passwords, return false to override the default password checks
	1333	+&$hash: String of the password hash (from the database)
	1334	+&$password: String of the plaintext password the user entered
	1335	+&$userId: Integer of the user's ID or Boolean false if the user ID was not supplied
	1336	+&$result: If the hook returns false, this Boolean value will be checked to determine if the password was valid
	1337	+
1332	1338	'UserCreateForm': change to manipulate the login form
1333	1339	$template: SimpleTemplate instance for the form
1334	1340
	1341	+'UserCryptPassword': called when hashing a password, return false to implement your own hashing method
	1342	+&$password: String of the plaintext password to encrypt
	1343	+&$salt: String of the password salt or Boolean false if no salt is provided
	1344	+&$wgPasswordSalt: Boolean of whether the salt is used in the default hashing method
	1345	+&$hash: If the hook returns false, this String will be used as the hash
	1346	+
1335	1347	'UserEffectiveGroups': Called in User::getEffectiveGroups()
1336	1348	$user: User to get groups for
1337	1349	&$groups: Current effective groups
Index: trunk/phase3/includes/User.php
—	—	@@ -3249,6 +3249,11 @@
3250	3250	static function crypt( $password, $salt = false ) {
3251	3251	global $wgPasswordSalt;
3252	3252
	3253	+ $hash = '';
	3254	+ if( !wfRunHooks( 'UserCryptPassword', array( &$password, &$salt, &$wgPasswordSalt, &$hash ) ) ) {
	3255	+ return $hash;
	3256	+ }
	3257	+
3253	3258	if( $wgPasswordSalt ) {
3254	3259	if ( $salt === false ) {
3255	3260	$salt = substr( wfGenerateToken(), 0, 8 );
—	—	@@ -3271,6 +3276,12 @@
3272	3277	static function comparePasswords( $hash, $password, $userId = false ) {
3273	3278	$m = false;
3274	3279	$type = substr( $hash, 0, 3 );
	3280	+
	3281	+ $result = false;
	3282	+ if( !wfRunHooks( 'UserComparePasswords', array( &$hash, &$password, &$userId, &$result ) ) ) {
	3283	+ return $result;
	3284	+ }
	3285	+
3275	3286	if ( $type == ':A:' ) {
3276	3287	# Unsalted
3277	3288	return md5( $password ) === substr( $hash, 3 );
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -236,6 +236,8 @@
237	237	* (bug 16459) Use native getElementsByClassName where possible, for better
238	238	performance in modern browsers
239	239	* Enable \cancel and \cancelto in texvc (recompile required)
	240	+* Added 'UserCryptPassword' and 'UserComparePasswords' hooks to allow extensions to implement
	241	+ their own password hashing methods.
240	242
241	243	=== Bug fixes in 1.14 ===
242	244

Status & tagging log

19:51, 23 December 2008 Brion VIBBER (talk | contribs) changed the status of r44815 [removed: new added: ok]