From 66f999c511833d7577a1f3d772c757e854f4f4ff Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Sun, 25 Sep 2011 21:58:38 -0700 Subject: don't allow deleted users to log in. (They'd get permission denied on everything, but they could log in) --- src/lib/Login.class.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/lib/Login.class.php b/src/lib/Login.class.php index 28675f6..870774a 100644 --- a/src/lib/Login.class.php +++ b/src/lib/Login.class.php @@ -7,13 +7,18 @@ class Login { public static function login($username, $password) { global $mm; - $uid = $mm->database()->getUID($username); + $db = $mm->database(); + $hasher = $mm->hasher(); + + $uid = $db->getUID($username); + if ($uid!==false && $db->getStatus($uid)>=3) + $uid=false; if ($uid===false) { // user does not exist return 2; } - $hash = $mm->database()->getPasswordHash($uid); - if ($mm->hasher()->CheckPassword($password, $hash)) { + $hash = $db->getPasswordHash($uid); + if ($hasher->CheckPassword($password, $hash)) { // success $_SESSION['uid'] = $uid; return 0; -- cgit v1.2.3-54-g00ecf