From e5bd4c6f763536918221f3c67ac5b95db441d9ac Mon Sep 17 00:00:00 2001
From: Kevin Yeh <kevinyeh@alum.mit.edu>
Date: Thu, 24 Oct 2013 10:59:35 -0400
Subject: [PATCH] Confirm that that  password hash matches the database
 password hash, and that the user is still active in authCheckSession

---
 library/auth.inc                             | 13 +++++++++++--
 library/authentication/common_operations.php |  2 ++
 library/authentication/login_operations.php  |  5 +++--
 library/authentication/password_change.php   | 13 +++++++++++--
 4 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/library/auth.inc b/library/auth.inc
index 7369815b6..2c7e2e2bd 100644
--- a/library/auth.inc
+++ b/library/auth.inc
@@ -117,8 +117,17 @@ if (!isset($_SESSION["last_update"])) {
 function authCheckSession ()
 {
     if (isset($_SESSION['authId'])) {
-        $authDB = sqlQuery("select username, password from users where id = ?",array($_SESSION['authId']));
-        if ($_SESSION['authUser'] == $authDB['username'] )
+        $authDB = privQuery("select ".implode(",",array(TBL_USERS.".".COL_ID,
+                                                        TBL_USERS.".".COL_UNM,
+                                                        TBL_USERS_SECURE.".".COL_PWD,
+                                                        TBL_USERS_SECURE.".".COL_ID)) 
+                . " FROM ". implode(",",array(TBL_USERS,TBL_USERS_SECURE)) 
+                . " WHERE ". TBL_USERS.".".COL_ID." = ? "
+                . " AND ". TBL_USERS.".".COL_UNM . "=" . TBL_USERS_SECURE.".".COL_UNM
+                . " AND ". TBL_USERS.".".COL_ACTIVE . "=1" 
+                ,array($_SESSION['authId']));
+        if ($_SESSION['authUser'] == $authDB['username'] 
+            && $_SESSION['authPass'] == $authDB['password'] )
         {
             return true;
         }
diff --git a/library/authentication/common_operations.php b/library/authentication/common_operations.php
index 918549cfc..b653bd08e 100644
--- a/library/authentication/common_operations.php
+++ b/library/authentication/common_operations.php
@@ -32,6 +32,7 @@ define("COL_SALT","salt");
 define("COL_LU","last_update");
 define("COL_PWD_H1","password_history1");
 define("COL_SALT_H1","salt_history1");
+define("COL_ACTIVE","active");
 
 define("COL_PWD_H2","password_history2");
 define("COL_SALT_H2","salt_history2");
@@ -59,6 +60,7 @@ function initializePassword($username,$userid,&$password)
                     $salt
     );
     privStatement($passwordSQL,$params); 
+    return $hash;
 }
 
 
diff --git a/library/authentication/login_operations.php b/library/authentication/login_operations.php
index 00bb35927..5147045a9 100644
--- a/library/authentication/login_operations.php
+++ b/library/authentication/login_operations.php
@@ -76,7 +76,7 @@ function validate_user_password($username,&$password,$provider)
             }
             if($valid)
             {
-                initializePassword($username,$userInfo['id'],$password);
+                $phash=initializePassword($username,$userInfo['id'],$password);
                 purgeCompatabilityPassword($username,$userInfo['id']);
                 $_SESSION['relogin'] = 1;
             }
@@ -84,7 +84,7 @@ function validate_user_password($username,&$password,$provider)
             {
                 return false;
             }
-    }
+        }
         
     }
     $getUserSQL="select id, authorized, see_auth".
@@ -104,6 +104,7 @@ function validate_user_password($username,&$password,$provider)
         if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
         {
             $_SESSION['authUser'] = $username;
+            $_SESSION['authPass'] = $phash;
             $_SESSION['authGroup'] = $authGroup['name'];
             $_SESSION['authUserID'] = $userInfo['id'];
             $_SESSION['authProvider'] = $provider;
diff --git a/library/authentication/password_change.php b/library/authentication/password_change.php
index 6677c2393..a5319934e 100644
--- a/library/authentication/password_change.php
+++ b/library/authentication/password_change.php
@@ -78,7 +78,9 @@ function update_password($activeUser,$targetUser,&$currentPwd,&$newPwd,&$errMsg,
     $userInfo=privQuery($userSQL,array($targetUser));
     
     // Verify the active user's password
-    if($activeUser==$targetUser)
+    $changingOwnPassword = $activeUser==$targetUser;  
+    // True if this is the current user changing their own password
+    if($changingOwnPassword)
     {
         if($create)
         {
@@ -159,7 +161,8 @@ function update_password($activeUser,$targetUser,&$currentPwd,&$newPwd,&$errMsg,
             }
     }
     else
-    {
+    { // We are trying to update the password of an existing user
+        
         if($create)
         {
             $errMsg=xl("Trying to create user with existing username!");
@@ -195,6 +198,12 @@ function update_password($activeUser,$targetUser,&$currentPwd,&$newPwd,&$errMsg,
             }
         $updateSQL.=" WHERE ".COL_ID."=?"; array_push($updateParams,$targetUser);
         privStatement($updateSQL,$updateParams);
+        
+        // If the user is changing their own password, we need to update the session
+        if($changingOwnPassword)
+        {
+            $_SESSION['authPass']=$newHash;
+        }
     }
    
     if($GLOBALS['password_expiration_days'] != 0){
-- 
2.11.4.GIT