Using publish_xp.php when Gallery is embedded in Geeklog

robinbowes

Joined: 2002-09-20
Posts: 99

Posted: Tue, 2004-04-27 22:08

Hi,

Out of the box, publish_xp.php does not work when Gallery is embedded within Geeklog.

I've done some detective work and have got it working with a minor tweak to classes/geeklog/User.php.

Simply add the following function at the end of User.php to override the default:

function isCorrectPassword($password_hash) {
    # Get the user's password hash from Geeklog
    $gl_passwd = COM_getpassword($this->username);
    return (!strcmp($gl_passwd, $password_hash));
}

Now, whilst this works, there is an alternative approach.

The default isCorrectPassword function is as follows:

function isCorrectPassword($password) {
   $hash = '';
   if(strlen($this->password) == 32) { // old password schema
      $hash =  md5($password);
   }
   else {
      $salt = substr($this->password,0, 4);
      $hash = $salt.md5($salt.$password);
   }
   return (!strcmp($this->password, $hash));
}

This fails with geeklog because neither the loadByUid or loadByUserName functions in classes/geeklog/User.php read the password from the database and set it in user object.

This could be corrected by adding an additional line in each of these functions as follows:

$this->password = $userInfo['password'];

This would also mean adding the "password" field to the SQL query.

Is there any reason why this approach wouldn't work? Does it cause any security issues?

Cheers,

R.

robinbowes Joined: 2002-09-20 Posts: 99	Posted: Tue, 2004-04-27 22:08
	Hi, Out of the box, publish_xp.php does not work when Gallery is embedded within Geeklog. I've done some detective work and have got it working with a minor tweak to classes/geeklog/User.php. Simply add the following function at the end of User.php to override the default: function isCorrectPassword($password_hash) { # Get the user's password hash from Geeklog $gl_passwd = COM_getpassword($this->username); return (!strcmp($gl_passwd, $password_hash)); } Now, whilst this works, there is an alternative approach. The default isCorrectPassword function is as follows: function isCorrectPassword($password) { $hash = ''; if(strlen($this->password) == 32) { // old password schema $hash = md5($password); } else { $salt = substr($this->password,0, 4); $hash = $salt.md5($salt.$password); } return (!strcmp($this->password, $hash)); } This fails with geeklog because neither the loadByUid or loadByUserName functions in classes/geeklog/User.php read the password from the database and set it in user object. This could be corrected by adding an additional line in each of these functions as follows: `$this->password = $userInfo['password'];` This would also mean adding the "password" field to the SQL query. Is there any reason why this approach wouldn't work? Does it cause any security issues? Cheers, R.
	XUser login Username: * Password: * Create new account Request new password

Using publish_xp.php when Gallery is embedded in Geeklog

XUser login