Mercurial > hg > isophonics-drupal-site
view core/modules/user/src/UserAuth.php @ 13:5fb285c0d0e3
Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've
been lucky to get away with this so far, as we don't support self-registration
which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5
was vulnerable to.
| author | Chris Cannam |
|---|---|
| date | Mon, 23 Apr 2018 09:33:26 +0100 |
| parents | 4c8ae668cc8c |
| children | af1871eacc83 |
line wrap: on
line source
<?php namespace Drupal\user; use Drupal\Core\Entity\EntityManagerInterface; use Drupal\Core\Password\PasswordInterface; /** * Validates user authentication credentials. */ class UserAuth implements UserAuthInterface { /** * The entity manager. * * @var \Drupal\Core\Entity\EntityManagerInterface */ protected $entityManager; /** * The password hashing service. * * @var \Drupal\Core\Password\PasswordInterface */ protected $passwordChecker; /** * Constructs a UserAuth object. * * @param \Drupal\Core\Entity\EntityManagerInterface $entity_manager * The entity manager. * @param \Drupal\Core\Password\PasswordInterface $password_checker * The password service. */ public function __construct(EntityManagerInterface $entity_manager, PasswordInterface $password_checker) { $this->entityManager = $entity_manager; $this->passwordChecker = $password_checker; } /** * {@inheritdoc} */ public function authenticate($username, $password) { $uid = FALSE; if (!empty($username) && strlen($password) > 0) { $account_search = $this->entityManager->getStorage('user')->loadByProperties(['name' => $username]); if ($account = reset($account_search)) { if ($this->passwordChecker->check($password, $account->getPassword())) { // Successful authentication. $uid = $account->id(); // Update user to new password scheme if needed. if ($this->passwordChecker->needsRehash($account->getPassword())) { $account->setPassword($password); $account->save(); } } } } return $uid; } }