/** * @param LoginDataHandler $login */ function loginconvert_convert(&$login) { global $mybb, $valid_login_types, $utf8_recheck, $db, $settings; $options = array("fields" => array('username', "password", "salt", 'loginkey', 'coppauser', 'usergroup', "passwordconvert", "passwordconverttype", "passwordconvertsalt"), "username_method" => (int) $settings['username_method']); if ($login->username_method !== null) { $options['username_method'] = (int) $login->username_method; } $user = get_user_by_username($login->data['username'], $options); // There's nothing to check for, let MyBB do everything // This fails also when no user was found above, so no need for an extra check if (!isset($user['passwordconvert']) || $user['passwordconvert'] == '') { return; } // This user has already a mybb generated hash, delete the merge system data // Happens eg after resetting password or getting a new one via the acp if (!empty($user['password'])) { $update = array("passwordconvert" => "", "passwordconverttype" => "", "passwordconvertsalt" => ""); $db->update_query("users", $update, "uid={$user['uid']}"); return; } if (!array_key_exists($user['passwordconverttype'], $valid_login_types)) { // TODO: Is there an easy way to make the error translatable without adding a new language file? redirect($mybb->settings['bburl'] . "/member.php?action=lostpw", "We're sorry but we couldn't convert your old password. Please select a new one", "", true); } else { $login_type = $valid_login_types[$user['passwordconverttype']]; $function = "check_{$login_type}"; $check = $function($login->data['password'], $user); // If the password was wrong, an utf8 password and we want to check utf8 passwords we call the function again if (!$check && in_array($login_type, $utf8_recheck) && utf8_decode($login->data['password']) != $login->data['password']) { $check = $function(utf8_decode($login->data['password']), $user); } if (!$check) { // Make sure the password isn't tested again unset($login->data['password']); // Yeah, that function is called later too, but we need to know whether the captcha is right // If we wouldn't call that function the error would always be shown $login->verify_attempts($mybb->settings['captchaimage']); $login->invalid_combination(true); } else { // The password was correct, so use MyBB's method the next time (even if the captcha was wrong we can update the password) $salt = generate_salt(); $update = array("salt" => $salt, "password" => salt_password(md5($login->data['password']), $salt), "loginkey" => generate_loginkey(), "passwordconverttype" => "", "passwordconvert" => "", "passwordconvertsalt" => ""); $db->update_query("users", $update, "uid='{$user['uid']}'"); // Make sure the password isn't tested again unset($login->data['password']); // Also make sure all data is available when creating the session (otherwise SQL errors -.-) $login->login_data = array_merge($user, $update); } } }