Just update password hash without validating
Fixes #11097 If your password hash changed (becuse your are on 7.2 and we moved to ARGON2). Then we shold not 'set a new password' but just update the hash. As else we invoke the password policy again which might lock out users. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
8ede3f6346
commit
0c9a3de68f
1 changed files with 12 additions and 8 deletions
|
@ -176,6 +176,16 @@ class Database extends ABackend
|
|||
return $result ? true : false;
|
||||
}
|
||||
|
||||
private function updatePassword(string $uid, string $passwordHash): bool {
|
||||
$query = $this->dbConn->getQueryBuilder();
|
||||
$query->update($this->table)
|
||||
->set('password', $query->createNamedParameter($passwordHash))
|
||||
->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid))));
|
||||
$result = $query->execute();
|
||||
|
||||
return $result ? true : false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set password
|
||||
*
|
||||
|
@ -195,13 +205,7 @@ class Database extends ABackend
|
|||
$hasher = \OC::$server->getHasher();
|
||||
$hashedPassword = $hasher->hash($password);
|
||||
|
||||
$query = $this->dbConn->getQueryBuilder();
|
||||
$query->update($this->table)
|
||||
->set('password', $query->createNamedParameter($hashedPassword))
|
||||
->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid))));
|
||||
$result = $query->execute();
|
||||
|
||||
return $result ? true : false;
|
||||
return $this->updatePassword($uid, $hashedPassword);
|
||||
}
|
||||
|
||||
return false;
|
||||
|
@ -314,7 +318,7 @@ class Database extends ABackend
|
|||
$newHash = '';
|
||||
if (\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
|
||||
if (!empty($newHash)) {
|
||||
$this->setPassword($uid, $password);
|
||||
$this->updatePassword($uid, $newHash);
|
||||
}
|
||||
return (string)$row['uid'];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue