This commit is contained in:
Andy Miller
2015-07-28 11:10:38 -06:00
parent bb4eea7999
commit f30af37faf

View File

@@ -9,6 +9,9 @@ use Grav\Common\GravTrait;
/**
* User object
*
* @property mixed authenticated
* @property mixed password
* @property bool|string hashed_password
* @author RocketTheme
* @license MIT
*/
@@ -57,14 +60,13 @@ class User extends Data
// Plain-text is still stored
if ($this->password) {
if ($password !== $this->password) {
// Plain-text passwords do not match, we know we should fail but execute
// verify to protect us from timing attacks and return false regardless of
// the result
Authentication::verify($password, self::getGrav()['config']->get('system.security.default_hash'));
return false;
} else {
} else {
// Plain-text does match, we can update the hash and proceed
$save = true;