This might be some kind of security issue but after 2 days I have not been able to track it down.
Now it seems that it does not affect everyone but this one install of Zenphoto 1.4.4.3 will not authenticate no matter what I do even with a fresh install. I created a new user and it work temporarily then some how stopped..
Is there any insight that you can give me?
-------------------------------
function authorize($args) {
global $_zp_authority;
$args = decode64($args);
if (!preg_match('#^1.4#', ($version = getVersion())))
return new IXR_Error(-2, 'Zenphoto version '.$version.' but v1.4.x required!');
$_zp_authority = new Zenphoto_Authority();
$hash = $_zp_authority->passwordHash($args['loginUsername'], $args['loginPassword']);
$userobj = $_zp_authority->getAnAdmin(array('`user`=' => $args['loginUsername'], '`pass`=' => $hash, '`valid`=' => 1));
if($userobj) {
return true;
} else {
return new IXR_Error(-1, 'Incorrect username or password '.$args['loginUsername'].' '.$args['loginPassword']);
}
}
Zenphoto
Comments
But some comments on the code snippet you have posted.
is "decode64" supposed to be `base64_decode`?
`$_zp_authority` should probably already be defined unless the plugin is loading "bare" in which case you won't have other needed functions, so I doubt that is true.
Otherwise the code looks right. If you get an empty result form the getAnAdmin it means that there was no database entry that matched your parameters.
I suggest you log the input parameters to be sure they are not being corrupted.
Optimizing and adding new features ...so thank you for the suggestions
-------------------------
The working installation zp-1.4.4.3
["passhash"]=>
string(1) "2"
-----------------------
Not working zp-1.4.4.3
["passhash"]=>
string(1) "0"
The ONLY significant difference between the 2 is that passhash string any insight on this?
The first case would work since the empty string will tend to match anything. But of course it should not be empty in the first place.
Are the user and password decoded correct?
If you set the `DEBUG_LOGIN` define to true the debug log will record the parameters and result of your call to `passwordHash()`. But it seems most likely that the Zenphoto environment has not been setup correctly.
-----------------------
$_zp_authority->getAnAdmin(array('user=' => $args['loginUsername'], 'pass=' => $hash, 'valid=' => 1));
-----------------------
[passhash] changes from 0 and higher depending on some variable (the code makes sense now) but why on my other installation is my passhash 0 and not higher and my password is correct...curious
I might have to make some changes to get this to work OR see why the the other instance of Zenphoto operates differently
I might also note that the actual value of this may be different by user, so your code would probably have to check each version (currently 0, 1, and 2) to be robust.
This is the code we use to check a logon:
`
foreach(Zenphoto_Authority::$hashList as $hash=>$hi) {
$auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi);
$success = ($auth == $check_auth) && $post_user == $check_user;
if (DEBUG_LOGIN) debugLog("zp_handle_password($success): \$post_user=$post_user; \$post_pass=$post_pass; \$check_auth=$check_auth; \$auth=$auth; \$hash=$hash;");
if ($success) {
break;
}
}
`