@Jonathan:
I looked at that code a lot yesterday, before I posted. The thing is,
that code doesn't really show how it compares the values.
The if temp_user[passfield] == form.vars.get(passfield, '') doesn't
make sense to me. temp_user[passfield] should return the hash held in
the db password field. The form.vars.get(passfield, '') should return
the non-hash password entered into the form. Where does the
translation occure from the Form to the hash stored in the db?
The above code doesn't show that translation...
On Sep 18, 5:08 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
> On Sep 18, 2009, at 4:44 PM, waTR wrote:
>
>
>
> > I need to be able to compare another password submitted against the
> > one in that field. How would I go about doing that? What functions are
> > available in web2py for this.
>
> > db.define_table('pass',
> > SQLField("password", 'password', readable=False, label='Password',
> > requires=CRYPT()))
>
> > I.e. I have just submitted a form that contains a
> > request.get_vars.password
> > how do I compare that password against the one in db.
>
> Here's the central code in Auth.login:
>
> users = self.db(table_user[username] == form.vars
> [username]).select()
> if users:
> # user in db, check if registration pending or
> disabled
> temp_user = users[0]
>
> ...
>
> if not user:
> # alternates have failed, maybe because
> service inaccessible
> if self.settings.login_methods[0] == self:
> # try logging in locally using cached
> credentials
> if temp_user[passfield] == form.vars.get
> (passfield, ''):
> # success
> user = temp_user
>
> The values being compared are hashes, because the field in question
> requires IS_CRYPT(), which really doesn't do anything but hash the
> value.
>
>
>
> > On Sep 18, 1:34 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
> >> On Sep 18, 2009, at 1:06 PM, waTR wrote:
>
> >>> Related question though... how can one check if password entered
> >>> matches password stored in DB for that user? When I retrieve the
> >>> stored password via select(), it is encrypted. How does Auth
> >>> decrypt?
> >>> Where can I find that code (what file)?
>
> >> Briefly, you don't decrypt the stored password. Actually, you can't,
> >> because it's not encrypted; it's hashed.
>
> >> You check it by hashing the login password and comparing the hashes.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
