what if you don't use form(). What if you simply build your own html
<form></form> ?
Is it possible to convert the request.vars.get(passfied, '') to the
same hash form as you would get from using form() ?
Do I need to manually set a key and then have to use hash()? IS_CRYPT
seems to need some more documentation with regard how to work with the
data resulting from it...
On Sep 20, 1:43 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
> request.vars.get(passfield, '')
>
> contains the un-hashed value pre-validation
>
> form.vars.get(passfield, '')
>
> contains the hashed value post validation
>
> Massimo
>
> On Sep 20, 2:42 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
>
> > On Sep 20, 2009, at 12:34 PM, waTR wrote:
>
> > > @Jonathan:
> > > I looked at that code a lot yesterday, before I posted. The thing is,
> > > that code doesn't really show how it compares the values.
>
> > > The if temp_user[passfield] == form.vars.get(passfield, '') doesn't
> > > make sense to me. temp_user[passfield] should return the hash held in
> > > the db password field. The form.vars.get(passfield, '') should return
> > > the non-hash password entered into the form. Where does the
> > > translation occure from the Form to the hash stored in the db?
>
> > It happens in the IS_CRYPT() validation, which returns the hashed
> > value of the field.
>
> > > The above code doesn't show that translation...
>
> > > On Sep 18, 5:08 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
> > >> On Sep 18, 2009, at 4:44 PM, waTR wrote:
>
> > >>> I need to be able to compare another password submitted against the
> > >>> one in that field. How would I go about doing that? What functions
> > >>> are
> > >>> available in web2py for this.
>
> > >>> db.define_table('pass',
> > >>> SQLField("password", 'password', readable=False, label='Password',
> > >>> requires=CRYPT()))
>
> > >>> I.e. I have just submitted a form that contains a
> > >>> request.get_vars.password
> > >>> how do I compare that password against the one in db.
>
> > >> Here's the central code in Auth.login:
>
> > >> users = self.db(table_user[username] == form.vars
> > >> [username]).select()
> > >> if users:
> > >> # user in db, check if registration pending or
> > >> disabled
> > >> temp_user = users[0]
>
> > >> ...
>
> > >> if not user:
> > >> # alternates have failed, maybe because
> > >> service inaccessible
> > >> if self.settings.login_methods[0] == self:
> > >> # try logging in locally using cached
> > >> credentials
> > >> if temp_user[passfield] == form.vars.get
> > >> (passfield, ''):
> > >> # success
> > >> user = temp_user
>
> > >> The values being compared are hashes, because the field in question
> > >> requires IS_CRYPT(), which really doesn't do anything but hash the
> > >> value.
>
> > >>> On Sep 18, 1:34 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
> > >>>> On Sep 18, 2009, at 1:06 PM, waTR wrote:
>
> > >>>>> Related question though... how can one check if password entered
> > >>>>> matches password stored in DB for that user? When I retrieve the
> > >>>>> stored password via select(), it is encrypted. How does Auth
> > >>>>> decrypt?
> > >>>>> Where can I find that code (what file)?
>
> > >>>> Briefly, you don't decrypt the stored password. Actually, you
> > >>>> can't,
> > >>>> because it's not encrypted; it's hashed.
>
> > >>>> You check it by hashing the login password and comparing the
> > >>>> hashes.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
