BUGFIX Fixed Member->PasswordEncryption defaults when writing new Member without setting a password. Fixes critical issue with MemberTableField saving in admin/security, where new members are stored with a cleartext password by default instead of using the default SHA1 (see #5772)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107532 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-07-06 01:54:55 +00:00 committed by Sam Minnee
parent b8f27de42e
commit 7ac4a9ec4d
2 changed files with 19 additions and 8 deletions

View File

@ -636,7 +636,7 @@ class Member extends DataObject {
// The test on $this->ID is used for when records are initially created.
// Note that this only works with cleartext passwords, as we can't rehash
// existing passwords.
if(!$this->ID || $this->isChanged('Password')) {
if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
// Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext
@ -644,8 +644,9 @@ class Member extends DataObject {
$this->PasswordEncryption,
$this
);
// Overwrite the Password property with the hashed value
$this->Password = $encryption_details['password'];
; $this->Password = $encryption_details['password'];
$this->Salt = $encryption_details['salt'];
$this->PasswordEncryption = $encryption_details['algorithm'];

View File

@ -52,13 +52,20 @@ class MemberTest extends FunctionalTest {
}
function testDefaultPasswordEncryptionOnMember() {
$member = new Member();
$member->Password = 'mypassword';
$member->write();
$memberWithPassword = new Member();
$memberWithPassword->Password = 'mypassword';
$memberWithPassword->write();
$this->assertEquals(
$member->PasswordEncryption,
$memberWithPassword->PasswordEncryption,
Security::get_password_encryption_algorithm(),
'Password encryption is set for new member records on first write'
'Password encryption is set for new member records on first write (with setting "Password")'
);
$memberNoPassword = new Member();
$memberNoPassword->write();
$this->assertNull(
$memberNoPassword->PasswordEncryption,
'Password encryption is not set for new member records on first write, when not setting a "Password")'
);
}
@ -68,6 +75,7 @@ class MemberTest extends FunctionalTest {
$member->PasswordEncryption = 'sha1_v2.4';
$member->write();
$origAlgo = Security::get_password_encryption_algorithm();
Security::set_password_encryption_algorithm('none');
$member->Password = 'mynewpassword';
@ -79,6 +87,8 @@ class MemberTest extends FunctionalTest {
);
$result = $member->checkPassword('mynewpassword');
$this->assertTrue($result->valid());
Security::set_password_encryption_algorithm($origAlgo);
}
function testSetPassword() {