[Piwik-hackers] Salted Hash For Passwords - Ticket #308
Matthieu Aubry
matthieu.aubry at gmail.com
Wed Jul 23 00:27:45 CEST 2008
Hi Patrick,
you're welcome to send us a patch for this feature.
- the test suite doesn't test all the related code. You can execute the
tests by going to /piwik/tests/ ; you can also execute only the test you
want by going to piwik/tests/modules/UsersManager.test.php (in your case
this test will be useful)
- to modify the schema, as we don't yet have a database upgrade
feature... This is not so easy. We can build this update mechanism now
though (as you will need it)
- the plugin login doesn't have test, you can add them, this is more
than welcome :)
No problem for the questions, you're welcome!
Patrick Joyce wrote:
> I see that sannu reported a bug that Piwik doesn't currently salt the
> hash for passwords (http://dev.piwik.org/trac/ticket/308). This is
> something I had noticed a while back and have been meaning to fix.
>
> I'd be happy to write and submit a patch that will add a per user
> salt. This will help protect against dictionary attacks, and will
> allow existing users to still login.
>
> However, I need a little direction in terms of the process for
> submitting a patch to the piwik core. I see plenty of documentation in
> the wiki for how to create a plugin and test the UI, but I don't see a
> process for how to contribute to the core.
>
> Specifically I have the following questions:
>
> How do I run the test suite?
> What is the preferred way of modifying the DB Schema? (I will need to
> add a salt column to the piwik_user table)
> Are there existing tests for the Login plugin?
>
> Sorry if the questions are basic. I come from a background of Java,
> ASP.Net and pretty much nothing but Ruby and Rails for the past year.
> So I'm used to jUnit, nUnit, Test::Unit, and RSpec for tests and not
> extremely experienced with PHP. I'm not having the easiest time
> following the unit tests.
>
> Thanks,
>
> Patrick Joyce
> _______________________________________________
> Piwik-hackers mailing list
> Piwik-hackers at piwik.org
> http://lists.piwik.org/cgi-bin/mailman/listinfo/piwik-hackers
>
>
More information about the Piwik-hackers
mailing list