mahara-contributors team mailing list archive

[François Marier <francois@xxxxxxxxxx>]

** Changed in: mahara
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/676461

Title:
  Admin user unable to login after installation - salt issue

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  During installation, the final step is typically to set the admin password. At present on master this isn't happening and the admin user is unable to login.
  Looks like this is caused by a change in e9151dd85cabeb527b7a3dc6d03699e9bb949634 to auth/internal/lib.php to the salt system.

  When the admin user is created, it's not created using an Auth object, but by inserting directly into the database. The password is set in plaintext and without salt. The installation then seesm to log in the admin user with that plaintext password.
  The salt change in the above commit removes the ability for users to log in using a plaintext password if there's no salt.

  I can see two ways forward:
  * revert the salt change; or
  * salt the admin password.

  I've provided a fix for the latter in the attached file on the
  assumption that the salt was changed for a reason that I'm not privy
  to, but I haven't applied it to master in case the preferred option is
  to revert the salt change.

  Rather than using auth/lib.php:encrypt_password() (which just returns
  sha1($salt . $password)), I've just done the sha1. This is to avoid
  having to include auth/lib.php just for one function. Obviously, this
  would break if salting methodology changed in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/676461/+subscriptions