diff --git a/resources/sql/autopatches/20140410.accountsecret.1.sql b/resources/sql/autopatches/20140410.accountsecret.1.sql new file mode 100644 --- /dev/null +++ b/resources/sql/autopatches/20140410.accountsecret.1.sql @@ -0,0 +1,2 @@ +ALTER TABLE {$NAMESPACE}_user.user + ADD accountSecret CHAR(64) NOT NULL COLLATE latin1_bin; diff --git a/resources/sql/autopatches/20140410.accountsecret.2.php b/resources/sql/autopatches/20140410.accountsecret.2.php new file mode 100644 --- /dev/null +++ b/resources/sql/autopatches/20140410.accountsecret.2.php @@ -0,0 +1,23 @@ +getID(); + echo "Updating {$id}...\n"; + + if (strlen($user->getAccountSecret())) { + continue; + } + + queryfx( + $user->establishConnection('w'), + 'UPDATE %T SET accountSecret = %s WHERE id = %d', + $user->getTableName(), + Filesystem::readRandomCharacters(64), + $id); +} + +echo "Done.\n"; diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php --- a/src/applications/people/storage/PhabricatorUser.php +++ b/src/applications/people/storage/PhabricatorUser.php @@ -32,6 +32,8 @@ protected $isEmailVerified = 0; protected $isApproved = 0; + protected $accountSecret; + private $profileImage = self::ATTACHABLE; private $profile = null; private $status = self::ATTACHABLE; @@ -157,6 +159,11 @@ if (!$this->getConduitCertificate()) { $this->setConduitCertificate($this->generateConduitCertificate()); } + + if (!strlen($this->getAccountSecret())) { + $this->setAccountSecret(Filesystem::readRandomCharacters(64)); + } + $result = parent::save(); if ($this->profile) { @@ -305,7 +312,7 @@ private function generateToken($epoch, $frequency, $key, $len) { if ($this->getPHID()) { - $vec = $this->getPHID().$this->getPasswordHash(); + $vec = $this->getPHID().$this->getAccountSecret(); } else { $vec = $this->getAlternateCSRFString(); }