-
2008-02-04
andy.webber
At present, if a password check is required when a user updates their profile, the password check is done internally to auth.php rather than being handed out to the auth framework.
The required change is probably the following, although I have not tested it extensively.
$ diff auth.php.distrib auth.php
647c647
< if (!auth_verifyPassword($_POST['oldpass'],$INFO['userinfo']['pass'])) {
---
> if (!$auth->checkPass($_SERVER['REMOTE_USER'], $_POST['oldpass'])) {
-
2008-02-15
andi
Hmm is there any disadvantage in doing it the current way?
-
2008-02-15
andy.webber
It is inconsistent between updateprofile() and auth_login() (which uses $auth->checkPass).
Only the auth back-end /really/ knows how to check a password; the back-end may not be using any of the schemes coded into auth_verifyPassword(). In which case, it doesn't work. (workaround is to disable the password check).
-
2008-02-15
andi
Ah hadn't looked at the code before writing that comment. Sorry, you're correct of course.