From 5e143f1f5214a13b4a6df0723619b150fc31572c Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 2 Oct 2018 23:31:55 +0200 Subject: [PATCH] Just update password hash without validating Fixes #11097 If your password hash changed (becuse your are on 7.2 and we moved to ARGON2). Then we shold not 'set a new password' but just update the hash. As else we invoke the password policy again which might lock out users. Signed-off-by: Roeland Jago Douma --- lib/private/User/Database.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/private/User/Database.php b/lib/private/User/Database.php index 532b2f8c03..905a199a1a 100644 --- a/lib/private/User/Database.php +++ b/lib/private/User/Database.php @@ -176,6 +176,16 @@ class Database extends ABackend return $result ? true : false; } + private function updatePassword(string $uid, string $passwordHash): bool { + $query = $this->dbConn->getQueryBuilder(); + $query->update($this->table) + ->set('password', $query->createNamedParameter($passwordHash)) + ->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid)))); + $result = $query->execute(); + + return $result ? true : false; + } + /** * Set password * @@ -195,13 +205,7 @@ class Database extends ABackend $hasher = \OC::$server->getHasher(); $hashedPassword = $hasher->hash($password); - $query = $this->dbConn->getQueryBuilder(); - $query->update($this->table) - ->set('password', $query->createNamedParameter($hashedPassword)) - ->where($query->expr()->eq('uid_lower', $query->createNamedParameter(mb_strtolower($uid)))); - $result = $query->execute(); - - return $result ? true : false; + return $this->updatePassword($uid, $hashedPassword); } return false; @@ -314,7 +318,7 @@ class Database extends ABackend $newHash = ''; if (\OC::$server->getHasher()->verify($password, $storedHash, $newHash)) { if (!empty($newHash)) { - $this->setPassword($uid, $password); + $this->updatePassword($uid, $newHash); } return (string)$row['uid']; }