--- auth.py.original 2005-09-09 12:17:19.000000000 -0300 +++ auth.py 2005-09-09 15:21:08.000000000 -0300 @@ -29,7 +29,7 @@ first_name = meta.CharField(maxlength=30, blank=True) last_name = meta.CharField(maxlength=30, blank=True) email = meta.EmailField('e-mail address', blank=True) - password_md5 = meta.CharField('password', maxlength=32, help_text="Use an MD5 hash -- not the raw password.") + password = meta.CharField('password', maxlength=128, help_text="Use a hash like '[algo]$[salt]$[hexdigest]'") is_staff = meta.BooleanField('staff status', help_text="Designates whether the user can log into this admin site.") is_active = meta.BooleanField('active', default=True) is_superuser = meta.BooleanField('superuser status') @@ -46,7 +46,7 @@ exceptions = ('SiteProfileNotAvailable',) admin = meta.Admin( fields = ( - (None, {'fields': ('username', 'password_md5')}), + (None, {'fields': ('username', 'password')}), ('Personal info', {'fields': ('first_name', 'last_name', 'email')}), ('Permissions', {'fields': ('is_staff', 'is_active', 'is_superuser', 'user_permissions')}), ('Important dates', {'fields': ('last_login', 'date_joined')}), @@ -59,25 +59,37 @@ def __repr__(self): return self.username - + def get_absolute_url(self): return "/users/%s/" % self.username - + def is_anonymous(self): return False - + def get_full_name(self): full_name = '%s %s' % (self.first_name, self.last_name) return full_name.strip() - + def set_password(self, raw_password): - import md5 - self.password_md5 = md5.new(raw_password).hexdigest() + import sha, random + algo = 'sha1' + salt = sha.new(str(random.random())).hexdigest()[:5] + hash = sha.new(salt+raw_password).hexdigest() + self.password = '%s$%s$%s' % (algo, salt, hash) def check_password(self, raw_password): - "Returns a boolean of whether the raw_password was correct." - import md5 - return self.password_md5 == md5.new(raw_password).hexdigest() + '''Returns a boolean of whether the raw_password was correct, + while considering other encryption formats, and salt. A typical + password hash looks like $$''' + pass_string = self.password + + (algo, salt, hash) = pass_string.split('$') + if algo == 'md5': + import md5 + return hash == md5.new(salt+raw_password).hexdigest() + elif algo == 'sha1': + import sha + return hash == sha.new(salt+raw_password).hexdigest() def get_group_permissions(self): "Returns a list of permission strings that this user has through his/her groups." @@ -156,10 +168,9 @@ def _module_create_user(username, email, password): "Creates and saves a User with the given username, e-mail and password." - import md5 - password_md5 = md5.new(password).hexdigest() now = datetime.datetime.now() - user = User(None, username, '', '', email.strip().lower(), password_md5, False, True, False, now, now) + user = User(None, username, '', '', email.strip().lower(), 'placeholder_string', False, True, False, now, now) + user.set_password(password) user.save() return user