Just update password hash without validating

Fixes #11097 If your password hash changed (becuse your are on 7.2 and we moved to ARGON2). Then we shold not 'set a new password' but just update the hash. As else we invoke the password policy again which might lock out users. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-02 23:31:55 +02:00 · 2018-10-02 23:31:55 +02:00 · 0c9a3de68f
parent 8ede3f6346
commit 0c9a3de68f
1 changed files with 12 additions and 8 deletions
--- a/lib/private/User/Database.php
+++ b/lib/private/User/Database.php
@ -176,6 +176,16 @@ class Database extends ABackend
 		return $result ? true : false;
 	}
 	private function updatePassword(string $uid, string $passwordHash): bool {
 		$query = $this->dbConn->getQueryBuilder();
 		$query->update($this->table)
 			->set('password', $query->createNamedParameter($passwordHash))
 			->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid))));
 		$result = $query->execute();
 		return $result ? true : false;
 	}
 	/**
 	 * Set password
 	 *
@ -195,13 +205,7 @@ class Database extends ABackend
 			$hasher = \OC::$server->getHasher();
 			$hashedPassword = $hasher->hash($password);
-			$query = $this->dbConn->getQueryBuilder();
+			return $this->updatePassword($uid, $hashedPassword);
 			$query->update($this->table)
 				->set('password', $query->createNamedParameter($hashedPassword))
 				->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid))));
 			$result = $query->execute();
 			return $result ? true : false;
 		}
 		return false;
@ -314,7 +318,7 @@ class Database extends ABackend
 			$newHash = '';
 			if (\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) {
 				if (!empty($newHash)) {
-					$this->setPassword($uid, $password);
+					$this->updatePassword($uid, $newHash);
 				}
 				return (string)$row['uid'];
 			}