Exemplo n.º 1
0
 /**
  * Checks to see if a password is in the user's password history
  *
  * Will also delete any expired records in the password history.
  *
  * @param	integer	$userid User ID
  * @param string $fe_password -- the frontend encoded password
  * @param	integer	$lookback The time period to look back for passwords in seconds
  *
  * @return boolean Returns true if password is in the history
  */
 protected function checkPasswordHistory($userid, $fe_password, $lookback)
 {
     $db = vB::getDBAssertor();
     // first delete old password history
     $db->delete('passwordhistory', array('userid' => $userid, array('field' => 'passworddate', 'value' => $lookback, 'operator' => vB_dB_Query::OPERATOR_LTE)));
     $old_passwords = $db->select('passwordhistory', array('userid' => $userid));
     foreach ($old_passwords as $old_password) {
         //need to use the same scheme as when the history hash was created.  If the front end scheme has changed
         //then we'll be unable to check -- we'll just have to pass it along.  When we implement front end schemes
         //other than plain md5 we'll need to do something here to check if its changed.
         try {
             $verify = vB_Utility_Password_Algorithm::instance($old_password['scheme'])->verifyPassword($fe_password, $old_password['token']);
         } catch (Exception $e) {
             //if we fail to hash the password we'll just ignore that history record.  Better than failing because of an old
             //record that has a now invalid scheme or something else equally silly.
             continue;
         }
         if ($verify) {
             return false;
         }
     }
     return true;
 }