ENH: refs #952. Support upgrade process for 3.2.12

Author: zachmullen

core/AppController.php

@@ -108,7 +108,9 @@ public function preDispatch()
           if(count($tmp) == 2)
             {
             $userDao = $userModel->load($tmp[0]);
-            if($userDao != false && $userModel->hashExists($tmp[1]))
+
+            if(version_compare(Zend_Registry::get('configDatabase')->version, '3.2.12', '>=') && 
+               $userDao != false && $userModel->hashExists($tmp[1]))
               {
               $user->Dao = $userDao;
               }

core/controllers/UserController.php

@@ -466,8 +466,20 @@ function loginAction()
           }
 
         $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
-        $passwordHash = hash($userDao->getHashAlg(), $instanceSalt.$userDao->getSalt().$form->getValue('password'));
-        if($authModule || $this->User->hashExists($passwordHash))
+        $currentVersion = Zend_Registry::get('configDatabase')->version;
+        // We have to have this so that an admin can log in to upgrade from version < 3.2.12 to >= 3.2.12.
+        // Version 3.2.12 introduced the new password hashing and storage system.
+        if(version_compare($currentVersion, '3.2.12', '>='))
+          {
+          $passwordHash = hash($userDao->getHashAlg(), $instanceSalt.$userDao->getSalt().$form->getValue('password'));
+          $coreAuth = $this->User->hashExists($passwordHash);
+          }
+        else
+          {
+          $coreAuth = $this->User->legacyAuthenticate($userDao, $instanceSalt, $form->getValue('password'));
+          }
+
+        if($authModule || $coreAuth)
           {
           $notifications = Zend_Registry::get('notifier')->callback('CALLBACK_CORE_AUTH_INTERCEPT', array('user' => $userDao));
           foreach($notifications as $module => $value)
@@ -478,7 +490,7 @@ function loginAction()
               return;
               }
             }
-          if($userDao->getSalt() == '')
+          if(version_compare($currentVersion, '3.2.12', '>=') && $userDao->getSalt() == '')
             {
             $passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
             }

core/models/base/UserModelBase.php

@@ -70,6 +70,7 @@ abstract function getByFolder($folder);
   /** Returns all the users */
   abstract function getAll($onlyPublic = false, $limit = 20, $order = 'lastname', $offset = null, $currentUser = null);
   abstract function storePasswordHash($hash);
+  abstract function legacyAuthenticate($userDao, $instanceSalt, $password);
 
   /** save */
   public function save($dao)

core/models/pdo/UserModel.php

@@ -305,4 +305,31 @@ function getUsersFromSearch($search, $userDao, $limit = 14, $group = true, $orde
     return $return;
     } // end getUsersFromSearch()
 
-}// end class
+  /**
+   * Uses the pre-3.2.12 authentication mechanism. Only call this if the version
+   * of the database is below 3.2.12, will throw DB exceptions otherwise.
+   * NOTE: This may ONLY be used to authenticate site admins. This is meant to be
+   * used during the upgrade process only, not for general authentication.
+   * @return True or false: whether the authentication succeeded
+   */
+  function legacyAuthenticate($userDao, $instanceSalt, $password)
+    {
+    $hash = md5($instanceSalt.$password);
+    $sql = $this->database->select()->setIntegrityCheck(false)
+                ->where('user_id = ?', $userDao->getKey());
+
+    
+    $row = $this->database->fetchRow($sql);
+    $pw = $row['password'];
+
+    if(!$pw)
+      {
+      throw new Zend_Exception('Tried to call legacyAuthenticate on 3.2.12+ schema');
+      }
+    if($row['admin'] != 1)
+      {
+      throw new Zend_Exception('Only admin users may use legacyAuthenticate');
+      }
+    return $pw === $hash;
+    }
+}// end class