Some notes to understand the waltz of the data at the registration/login time. Apply to 1.10
provpass, hash, password refers to the users_users columns.
register with (login, pass)
direct:
- the hash is generated from the login/pass (hash_pass function)
- password is set to pass if passwords are keep clear otherwise is empty
- provpass is set to empty
need user validation
- the password_sent sent to the user is randomly generated (genPass function)
- the hash is generated from user/password_sent (hash_pass function)
- provpass is set to pass (clear pass)
- password is set to the clear pass if passwords are kept in clear, otherwise set to empty
- when user validates: (function tiki-login_validate.php)
- the hash_pass of login, pass_received, hash is compared to hash - must be equal
- the hash is generated form login/provpass (hash_pass function)
- provpass is empty
- note the confirmation email can not be used another time
need administration validation:
- the process is very similar to ' need user validation' except that the info is sent to the admin and not the user
login
- check if hash matched the login/pass (function hash_pass)
- provpass and password are not used
remind password
- if passwords kept in clear, send provpass or password is provpass is empty.... why?
- otherwise, provpass is randomly generated (genPass function) and sent to the user
- notice: a user can still log in with its old password
change password
password_due
- only redirect to change password page
email_due
- provpass is generated by gen_pass and sent to the user
- when user validate, provpass is compared and if ok set to '' otherwise error