Issues (1963)

html/user/lookup_account.php (2 issues)

1
<?php
2
// This file is part of BOINC.
3
// http://boinc.berkeley.edu
4
// Copyright (C) 2008 University of California
5
//
6
// BOINC is free software; you can redistribute it and/or modify it
7
// under the terms of the GNU Lesser General Public License
8
// as published by the Free Software Foundation,
9
// either version 3 of the License, or (at your option) any later version.
10
//
11
// BOINC is distributed in the hope that it will be useful,
12
// but WITHOUT ANY WARRANTY; without even the implied warranty of
13
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
14
// See the GNU Lesser General Public License for more details.
15
//
16
// You should have received a copy of the GNU Lesser General Public License
17
// along with BOINC.  If not, see <http://www.gnu.org/licenses/>.
18
19
// RPC handler for account lookup
20
21
require_once("../inc/boinc_db.inc");
22
require_once("../inc/util.inc");
23
require_once("../inc/email.inc");
24
require_once("../inc/xml.inc");
25
require_once("../inc/ldap.inc");
26
require_once("../inc/user_util.inc");
27
require_once("../inc/password_compat/password.inc");
28
29
xml_header();
30
$retval = db_init_xml();
31
if ($retval) xml_error($retval);
32
33
$ldap_auth = get_str("ldap_auth", true);
34
35
if (LDAP_HOST && $ldap_auth) {
36
    // LDAP case.
37
    //
38
    $ldap_uid = get_str("ldap_uid");
39
    $passwd = get_str("passwd");
40
    list ($ldap_user, $error_msg) = ldap_auth($ldap_uid, $passwd);
41
    if ($error_msg) {
42
        sleep(LOGIN_FAIL_SLEEP_SEC);
43
        xml_error(ERR_BAD_USER_NAME, $error_msg);
44
    }
45
    $x = ldap_email_string($ldap_uid);
46
    $user = BoincUser::lookup_email_addr($x);
47
    if (!$user) {
48
        $user = make_user_ldap($x, $ldap_user->name);
49
        if (!$user) {
50
            xml_error(-1, "user record creation failed");
51
        }
52
    }
53
} else {
54
    // normal (non-LDAP) case
55
    $email_addr = get_str("email_addr");
56
    $passwd_hash = get_str("passwd_hash", true);
57
58
    $email_addr = BoincDb::escape_string($email_addr);
59
    $user = BoincUser::lookup("email_addr='$email_addr'");
60
    if (!$user) {
61
        sleep(LOGIN_FAIL_SLEEP_SEC);
62
        xml_error(ERR_DB_NOT_FOUND);
63
    }
64
65
    // here the caller was testing for existence of acct w/ given email
66
    //
67
    if (!$passwd_hash) {
68
        echo "<account_out>\n";
69
        echo "   <success/>\n";
70
        echo "</account_out>\n";
71
        exit();
72
    }
73
74
    $auth_hash = md5($user->authenticator.$user->email_addr);
75
76
    // if no password set, set password to account key
77
    // WHEN WOULD THIS EVER HAPPEN?
78
    // WHY SET IT TO AUTHENTICATOR?
79
    // SHOULD RETURN PASSWD FAILURE?
80
    //
81
    if (!strlen($user->passwd_hash)) {
82
        $user->passwd_hash = password_hash($auth_hash, PASSWORD_DEFAULT);
83
        $user->update(" passwd_hash='$user->passwd_hash' ");
84
    }
85
86
    if (check_passwd_hash($user, $passwd_hash)) {
0 ignored issues
show
This if statement is empty and can be removed.

This check looks for the bodies of if statements that have no statements or where all statements have been commented out. This may be the result of changes for debugging or the code may simply be obsolete.

These if bodies can be removed. If you have an empty if but statements in the else branch, consider inverting the condition.

if (rand(1, 6) > 3) {
//print "Check failed";
} else {
    print "Check succeeded";
}

could be turned into

if (rand(1, 6) <= 3) {
    print "Check succeeded";
}

This is much more concise to read.

Loading history...
87
    } else if ($auth_hash == $passwd_hash) {
0 ignored issues
show
This if statement is empty and can be removed.

This check looks for the bodies of if statements that have no statements or where all statements have been commented out. This may be the result of changes for debugging or the code may simply be obsolete.

These if bodies can be removed. If you have an empty if but statements in the else branch, consider inverting the condition.

if (rand(1, 6) > 3) {
//print "Check failed";
} else {
    print "Check succeeded";
}

could be turned into

if (rand(1, 6) <= 3) {
    print "Check succeeded";
}

This is much more concise to read.

Loading history...
88
        // if the passed hash matches the auth hash, then allow it
89
    } else {
90
        // if none of the above match, the password is invalid
91
        sleep(LOGIN_FAIL_SLEEP_SEC);
92
        xml_error(ERR_BAD_PASSWD);
93
    }
94
}
95
echo "<account_out>\n";
96
echo "<authenticator>$user->authenticator</authenticator>\n";
97
echo "</account_out>\n";
98
?>
99