kallithea Changeset - 73c99f45ef2a

Changeset - 73c99f45ef2a

Parent rev.

Child rev.

[Not reviewed]

beta

0 1 0

Marcin Kuzminski - 15 years ago 2010-11-24 03:38:48
marcin@python-works.com

fixed security issue when saving ldap user saved plaintext password

1 file changed with 4 insertions and 3 deletions:

rhodecode/model/user.py

0 comments (0 inline, 0 general)

rhodecode/model/user.py

➞

Show inline comments

@@ @@ -25,12 +25,13 @@ Model for users @@
 from pylons.i18n.translation import _
 from rhodecode.model.caching_query import FromCache
 from rhodecode.model.db import User
 from rhodecode.model.meta import Session
 from rhodecode.lib.exceptions import *
 import logging
 import traceback
 log = logging.getLogger(__name__)
@@ @@ -46,13 +47,13 @@ class UserModel(object): @@
             user = user.options(FromCache("sql_cache_short",
                                           "get_user_%s" % user_id))
         return user.get(user_id)
     def get_by_username(self, username, cache=False, case_insensitive=False):
         if case_insensitive:
             user = self.sa.query(User).filter(User.username.ilike(username))
         else:
             user = self.sa.query(User)\
                 .filter(User.username == username)
         if cache:
@@ @@ -77,18 +78,18 @@ class UserModel(object): @@
         """
         Checks if user is in database, if not creates this user marked
         as ldap user
         :param username:
         :param password:
         """
+        from rhodecode.lib.auth import get_crypt_password
         if self.get_by_username(username) is None:
             try:
                 new_user = User()
                 new_user.username = username
                 new_user.password = password
+                new_user.password = get_crypt_password(password)
                 new_user.email = '%s@ldap.server' % username
                 new_user.active = True
                 new_user.is_ldap = True
                 new_user.name = '%s@ldap' % username
                 new_user.lastname = ''

0 comments (0 inline, 0 general)