def verify_user(name, password):
cfg = app_cfg()
db = get_db()
sql = 'SELECT `account_id`, `account_type`, `account_name`, `account_pwd`, `account_lock` FROM `{}account` WHERE `account_name`="{}";'.format(db.table_prefix, name)
db_ret = db.query(sql)
if db_ret is None:
# 特别地,如果无法取得数据库连接,有可能是新安装的系统,尚未建立数据库,此时应该处于维护模式
# 因此可以特别地处理用户验证:用户名admin,密码admin可以登录为管理员
if cfg.app_mode == APP_MODE_MAINTENANCE:
if name == 'admin' and password == 'admin':
return 1, 100, 'admin', 0
return 0, 0, '', 0
if len(db_ret) != 1:
return 0, 0, '', 0
user_id = db_ret[0][0]
account_type = db_ret[0][1]
name = db_ret[0][2]
locked = db_ret[0][4]
if locked == 1:
return 0, 0, '', locked
if not sec_verify_password(password, db_ret[0][3]):
# 按新方法验证密码失败,可能是旧版本的密码散列格式,再尝试一下
if db_ret[0][3] != hashlib.sha256(password.encode()).hexdigest():
return 0, 0, '', locked
else:
# 发现此用户的密码散列格式还是旧的,更新成新的吧!
_new_sec_password = sec_generate_password(password)
sql = 'UPDATE `{}account` SET `account_pwd`="{}" WHERE `account_id`={}'.format(db.table_prefix, _new_sec_password, int(user_id))
db.exec(sql)
return user_id, account_type, name, locked
def modify_pwd(old_pwd, new_pwd, user_id):
db = get_db()
sql = 'SELECT `account_pwd` FROM `{}account` WHERE `account_id`={};'.format(db.table_prefix, int(user_id))
db_ret = db.query(sql)
if db_ret is None or len(db_ret) != 1:
return -100
if not sec_verify_password(old_pwd, db_ret[0][0]):
# 按新方法验证密码失败,可能是旧版本的密码散列格式,再尝试一下
if db_ret[0][0] != hashlib.sha256(old_pwd.encode()).hexdigest():
return -101
_new_sec_password = sec_generate_password(new_pwd)
sql = 'UPDATE `{}account` SET `account_pwd`="{}" WHERE `account_id`={}'.format(db.table_prefix, _new_sec_password, int(user_id))
db_ret = db.exec(sql)
if db_ret:
return 0
else:
return -102