Commit 4a3b76b1 authored by Nigel McNie's avatar Nigel McNie Committed by Nigel McNie
Browse files

The "internal" authentication type, which uses a salted sha1 password

lookup on the application database.
parent 115d3e48
* This program is part of Mahara
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
* @package mahara
* @subpackage auth
* @author Nigel McNie <>
* @license GNU GPL
* @copyright (C) 2006,2007 Catalyst IT Ltd
defined('INTERNAL') || die();
class Auth_Internal extends Auth {
* Attempt to authenticate user
public static function authenticate_user_account($username, $password, $institution) {
if (!$user = get_record_sql('SELECT username, password, salt
FROM ' . get_config('dbprefix') . 'usr
WHERE LOWER(username) = ?', strtolower($username))) {
throw new AuthUnknownUserException("\"$username\" is not known to Auth_Internal");
return Auth_Internal::validate_password($password, $user->password, $user->salt);
* Given a user that we know about, return an array of information about them
public static function get_user_info($username) {
$user = new StdClass;
$user->username = $username;
return $user;
The following two functions are inspired by Andrew McMillan's salted md5
functions in AWL, adapted with his kind permission. Changed to use sha1
and match the coding standards for Mahara.
private static function encrypt_password($password, $salt='') {
if ($salt == '') {
$salt = substr(md5(rand(1000000, 9999999)), 2, 8);
return sha1($salt . $password);
private static function validate_password($theysent, $wehave, $salt) {
if (substr($wehave, 0, 2) == '**') {
// This allows "plaintext" passwords, which are eaiser for an admin to
// create by hacking in the database directly. The application does not
// create passwords in this form.
return "**$theysent" == $wehave;
// The main type - a salted sha1
$sha1sent = Auth_Internal::encrypt_password($theysent, $salt);
return $sha1sent == $wehave;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment