Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Coding style tweak. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | login-with-email |
| Files: | files | file ages | folders |
| SHA3-256: |
52b9caa5027e717f02deb6d012ee2a2d |
| User & Date: | mistachkin 2018-08-11 23:51:03.743 |
Context
|
2018-08-12
| ||
| 10:42 | Merge the fix to the login-by-email-address patch. ... (check-in: 9b4e157b user: drh tags: trunk) | |
|
2018-08-11
| ||
| 23:51 | Coding style tweak. ... (Closed-Leaf check-in: 52b9caa5 user: mistachkin tags: login-with-email) | |
| 16:59 | Fix to checkin [8c91be8b], which was intended to allow the user to log in with the email found in the contact info field of the user table. That checkin is fine as far as it goes, but it only works if the caller doesn't subsequently try to use the passed user name for anything else, since it isn't actually a user name. This checkin causes the low-level login checking function to re-point the user name pointer at the actual login name discovered while scanning for matching email addresses. ... (check-in: 33522ff4 user: wyoung tags: login-with-email) | |
Changes
Changes to src/login.c.
| ︙ | ︙ | |||
215 216 217 218 219 220 221 | ** <human@example.com>". In that case, *zUsername will point to that ** user's actual login name on return, causing a leak unless the caller ** is diligent enough to check whether its pointer was re-pointed. ** ** zPassword may be either the plain-text form or the encrypted ** form of the user's password. */ | | | | | | | | 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 |
** <human@example.com>". In that case, *zUsername will point to that
** user's actual login name on return, causing a leak unless the caller
** is diligent enough to check whether its pointer was re-pointed.
**
** zPassword may be either the plain-text form or the encrypted
** form of the user's password.
*/
int login_search_uid(const char **pzUsername, const char *zPasswd){
char *zSha1Pw = sha1_shared_secret(zPasswd, *pzUsername, 0);
int uid = db_int(0,
"SELECT uid FROM user"
" WHERE login=%Q"
" AND length(cap)>0 AND length(pw)>0"
" AND login NOT IN ('anonymous','nobody','developer','reader')"
" AND (pw=%Q OR (length(pw)<>40 AND pw=%Q))"
" AND (info NOT LIKE '%%expires 20%%'"
" OR substr(info,instr(lower(info),'expires')+8,10)>datetime('now'))",
*pzUsername, zSha1Pw, zPasswd
);
/* If we did not find a login on the first attempt, and the username
** looks like an email address, then perhaps the user entered their
** email address instead of their login. Try again to match the user
** against email addresses contained in the "info" field.
*/
if( uid==0 && strchr(*pzUsername,'@')!=0 ){
Stmt q;
db_prepare(&q,
"SELECT login FROM user"
" WHERE find_emailaddr(info)=%Q"
" AND instr(login,'@')==0",
*pzUsername
);
while( db_step(&q)==SQLITE_ROW ){
const char *zLogin = db_column_text(&q,0);
if( (uid = login_search_uid(&zLogin, zPasswd) ) != 0 ){
*pzUsername = fossil_strdup(zLogin);
break;
}
}
db_finalize(&q);
}
free(zSha1Pw);
return uid;
|
| ︙ | ︙ |