Moving password decoding to UserManager class

2024-11-09 19:52:16 +00:00 · 2013-06-18 16:40:41 +02:00 · 2013-06-18 16:40:41 +02:00 · 08b9b1b293
commit 08b9b1b293
parent 7042634a89
3 changed files with 21 additions and 20 deletions
--- a/api/init.py
+++ b/api/init.py
@ -46,14 +46,11 @@ def authorize():
 			request.user = user
 			return

-	(username, decoded_pass) = map(request.args.get, [ 'u', 'p' ])
-	if not username or not decoded_pass:
+	(username, password) = map(request.args.get, [ 'u', 'p' ])
+	if not username or not password:
 		return error

-	if decoded_pass.startswith('enc:'):
-		decoded_pass = hexdecode(decoded_pass[4:])
-	
-	status, user = UserManager.try_auth(username, decoded_pass)
+	status, user = UserManager.try_auth(username, password)
 	if status != UserManager.SUCCESS:
 		return error

@ -188,13 +185,6 @@ class ResponseHelper:

 		return ret.replace('"True"', '"true"').replace('"False"', '"false"')

-def hexdecode(enc):
-	ret = ''
-	while enc:
-		ret = ret + chr(int(enc[:2], 16))
-		enc = enc[2:]
-	return ret
-
 def get_entity(req, ent, param = 'id'):
 	eid = req.args.get(param)
 	if not eid:
--- a/api/user.py
+++ b/api/user.py
@ -3,7 +3,6 @@
 from flask import request
 from web import app
 from db import User
-from . import hexdecode
 from user_manager import UserManager

@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
@ -38,9 +37,6 @@ def user_add():
 		return request.error_formatter(10, 'Missing parameter')
 	admin = True if admin in (True, 'True', 'true', 1, '1') else False

-	if password.startswith('enc:'):
-		password = hexdecode(password[4:])
-
 	status = UserManager.add(username, password, email, admin)
 	if status == UserManager.NAME_EXISTS:
 		return request.error_formatter(0, 'There is already a user with that username')
@ -72,9 +68,6 @@ def user_changepass():
 	if username != request.username and not request.user.admin:
 		return request.error_formatter(50, 'Admin restricted')

-	if password.startswith('enc:'):
-		password = hexdecode(password[4:])
-
 	status = UserManager.change_password2(username, password)
 	if status != UserManager.SUCCESS:
 		return request.error_formatter(0, UserManager.error_str(status))
--- a/user_manager.py
+++ b/user_manager.py
@ -35,6 +35,7 @@ class UserManager:
 		if User.query.filter(User.name == name).first():
 			return UserManager.NAME_EXISTS

+		password = UserManager.__decode_password(password)
 		crypt, salt = UserManager.__encrypt_password(password)
 		user = User(name = name, mail = mail, password = crypt, salt = salt, admin = admin)
 		session.add(user)
@ -55,6 +56,7 @@ class UserManager:

 	@staticmethod
 	def try_auth(name, password):
+		password = UserManager.__decode_password(password)
 		user = User.query.filter(User.name == name).first()
 		if not user:
 			return UserManager.NO_SUCH_USER, None
@ -69,6 +71,9 @@ class UserManager:
 		if status != UserManager.SUCCESS:
 			return status

+		old_pass = UserManager.__decode_password(old_pass)
+		new_pass = UserManager.__decode_password(new_pass)
+
 		if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
 			return UserManager.WRONG_PASS

@ -82,6 +87,7 @@ class UserManager:
 		if not user:
 			return UserManager.NO_SUCH_USER

+		new_pass = UserManager.__decode_password(new_pass)
 		user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
 		session.commit()
 		return UserManager.SUCCESS
@ -107,3 +113,15 @@ class UserManager:
 			salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
 		return hashlib.sha1(salt + password).hexdigest(), salt

+	@staticmethod
+	def __decode_password(password):
+		if not password.startswith('enc:'):
+			return password
+
+		enc = password[4:]
+		ret = ''
+		while enc:
+			ret = ret + chr(int(enc[:2], 16))
+			enc = enc[2:]
+		return ret
+