Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Sentry activation_hash/Password validation FAIL !
  • Hi my name is dustin. Currently i check the auth package "Sentry" which is very
    recommend to my requiremends. I use it as codebase. I mean i have found a big logical mistake by the author of Sentry. in file user.php line 915 - Method "check_password" The method has 2 input parameters. At first he grabs the salt of the activation_hesh. The salt is 16-Char long.
    Then he uses the salt and activation_hesh/password to build a new hash on the basis of the complete password/activation_hesh with an new random salt. This is very wrong and results that the password can be never matched.
    /**
      * Checks the given password to see if it matches the one in the database.
      *
      * @param   string  Password to check
      * @param   string  Password type
      * @return  bool
      */
     public function check_password($password, $field = 'password')
     {
      // grabs the salt from the current password
      $salt = substr($this->user[$field], 0, 16);
    
      // hash the inputted password
      $password = $salt.$this->hash_password($password, $salt);
    
     
      // check to see if passwords match
      return $password == $this->user[$field];
     }
    
    
    I have replaced it with:
    /**
      * Checks the given password to see if it matches the one in the database.
      *
      * @param   string  Password to check
      * @param   string  Password type
      * @return  bool
      */
     public function check_password($password, $field = 'password')
     {
      // check to see if passwords match
      return $password === $this->user[$field];
     }
    


    ADDED!!!

    If you want to create a new user by
    $user = new Sentry\Sentry_User();
    $added = $user->create(array('email'=>'foobar@gmail.de','password'=>'foobar'),$activation = true);
    $user -> add_to_group('test');
    
    and now add this member to a group thats dont work!!!
    Solution:
    The method 'add_to_group' in user.php need the filled 'user' variable which is loaded when you create a new instance with a id or email. But if you want to create a new user this 'user' variable is empty.
    /**
      * Create's a new user.  Returns user 'id'.
      *
      * @param   array  User array for creation
      * @return  int
      * @throws  SentryUserException
      */
     public function create(array $user, $activation = false)
     {
      /*
       *  code shortened...
       */
    
    
      if ($activation)
      {
      
       if ($rows_affected > 0)
       {
        // ***Pass the user information to the global user variable so other methods like 'add_to_group' can use this**//
        $this->user = $metadata;
        
        return array(
         'user_id'   => (int) $insert_id,
         'hash' => base64_encode($user[$this->login_column]).'/'.$hash
        );
       }
    
       return false;
      }
      return ($rows_affected > 0) ? (int) $insert_id : false;
     }
    
    
  • Sentry for FuelPHP is not actively maintained by the author anymore. If you found a bug and have fixed it, fork the repository on github, fix it there, and send the author a pull request. I'm pretty sure he will accept it, which allows other to benefit from your fix too...

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion