YOURLS · wogsland · Apr 20, 2014
diff --git a/includes/functions-install.php b/includes/functions-install.php
@@ -227,6 +227,14 @@ function yourls_create_sql_tables() {
 		'KEY `shorturl` (`shorturl`)'.
 		') AUTO_INCREMENT=1 ;';
 
+	$create_tables[YOURLS_DB_TABLE_USER] = 
+		'CREATE TABLE IF NOT EXISTS `'.YOURLS_DB_TABLE_USER.'` ('.
+		'`user_id` int(11) NOT NULL auto_increment,'.
+		'`username` varchar(200) NOT NULL,'.
+		'`user_password` varchar(255) NOT NULL,'.
+		'PRIMARY KEY  (`user_id`),'.
+		'KEY `username` (`username`)'.
+		') AUTO_INCREMENT=1 ;';
 
 	$create_table_count = 0;
 
@@ -248,6 +256,10 @@ function yourls_create_sql_tables() {
 	if( !yourls_initialize_options() )
 		$error_msg[] = yourls__( 'Could not initialize options' );
 
+	// Initializes the user table
+	if( !yourls_initialize_user() )
+		$error_msg[] = yourls__( 'Could not initialize user(s)' );
+
 	// Insert sample links
 	if( !yourls_insert_sample_links() )
 		$error_msg[] = yourls__( 'Could not insert sample short URLs' );
@@ -280,6 +292,28 @@ function yourls_initialize_options() {
 	);
 }
 
+/**
+ * Initializes the user table
+ *
+ * Initializes the admin user with password.
+ *
+ * @since 1.8
+ * @return bool
+ */
+function yourls_initialize_user() {
+	global $yourls_user_passwords;
+
+	if( !isset( $yourls_user_passwords ) ){
+		return ( bool ) ( yourls_add_user( 'admin', 'pasord' ) );
+	}else{
+		$users = array_keys( $yourls_user_passwords );
+		$success = true;
+		foreach( $users as $user ){
+			$success = $success && ( bool ) ( yourls_add_user( $user, $yourls_user_passwords[$user] ) );
+		}
+	}
+}
+
 /**
  * Populates the URL table with a few sample links
  *

diff --git a/includes/functions-upgrade.php b/includes/functions-upgrade.php
@@ -27,6 +27,9 @@ function yourls_upgrade( $step, $oldver, $newver, $oldsql, $newsql ) {
 		if( $oldsql < 482 )
 			yourls_upgrade_482();
 
+		if( $oldsql < 483 )
+			yourls_upgrade_483();
+
 		yourls_redirect_javascript( yourls_admin_url( "upgrade.php?step=3" ) );
 
 		break;
@@ -52,6 +55,33 @@ function yourls_upgrade_482() {
 	echo "<p>Updating table structure. Please wait...</p>";
 }
 
+/**
+ * Upgrade r483 
+ *
+ */
+function yourls_upgrade_483() {
+	// Creating user table
+	global $ydb;
+	$table_url = YOURLS_DB_TABLE_USER;
+	$sql = 		
+		'CREATE TABLE IF NOT EXISTS `'.YOURLS_DB_TABLE_USER.'` ('.
+		'`user_id` int(11) NOT NULL auto_increment,'.
+		'`username` varchar(200) NOT NULL,'.
+		'`user_password` varchar(255) NOT NULL,'.
+		'PRIMARY KEY  (`user_id`),'.
+		'KEY `username` (`username`)'.
+		') AUTO_INCREMENT=1 ;';
+	$ydb->query( $sql );
+	echo "<p>Updating table structure. Please wait...</p>";
+
+	// Initializes the user table
+	if( !yourls_initialize_user() ){
+		$error_msg[] = yourls__( 'Could not initialize user(s)' );
+	}else{
+		echo "<p>User table initialization successful.</p>";
+	}
+}
+
 /************************** 1.4.3 -> 1.5 **************************/
 
 /**

diff --git a/includes/functions.php b/includes/functions.php
@@ -937,6 +937,18 @@ function yourls_upgrade_is_needed() {
 	return false;
 }
 
+/**
+ * Check if an upgrade is needed before looking for users in the DB.
+ *
+ */
+function yourls_users_in_database() {
+	list( $currentver, $currentsql ) = yourls_get_current_version_from_sql();
+	if( $currentsql >= 483 )
+		return true;
+
+	return false;
+}
+
 /**
  * Get current version & db version as stored in the options DB. Prior to 1.4 there's no option table.
  *
@@ -1138,6 +1150,93 @@ function yourls_delete_option( $name ) {
 	return true;
 }
 
+/**
+ * Read a user from DB. Return username or $default if not found
+ *
+ * Pretty much stolen from yourls_get_option
+ *
+ * @since 1.8
+ * @param string $username User's name. Expected to not be SQL-escaped.
+ * @param mixed $default Optional value to return if user doesn't exist. Defaults to false.
+ * @return mixed Value set for the option.
+ */
+function yourls_get_user( $username, $default = false ) {
+	global $ydb;
+
+	$table = YOURLS_DB_TABLE_USER;
+	$username = yourls_escape( $username );
+	$row = $ydb->get_row( "SELECT `username` FROM `$table` WHERE `username` = '$username' LIMIT 1" );
+	if ( is_object( $row) ) { // Has to be get_row instead of get_var because of funkiness with 0, false, null values
+		$value = $row->username;
+	} else { // user does not exist
+		$value = $default;
+	}
+
+	return $value;
+}
+
+/**
+ * Read all users with passwords from DB and returns them
+ *
+ * Pretty much stolen from yourls_get_option
+ *
+ * @since 1.8
+ * @return array of user => password
+ */
+function yourls_get_user_passwords() {
+	global $ydb;
+
+	$table = YOURLS_DB_TABLE_USER;
+	$username = yourls_escape( $username );
+	$users = $ydb->get_results( "SELECT `username`, `user_password` FROM `$table`" );
+	$user_passwords = array();
+	foreach( $users as $user ){
+		$user_passwords[ $user->username ] = $user->user_password;
+	}
+
+	return $user_passwords;
+}
+
+/**
+ * Add a user to the DB
+ *
+ * Pretty much stolen from yourls_add_option function
+ *
+ * @since 1.8
+ * @param string $username Name of user to add. Expected to not be SQL-escaped.
+ * @param mixed $password Password of user to add. Expected to not be SQL-escaped.
+ * @return bool False if user was not added and true otherwise.
+ */
+function yourls_add_user( $username, $password) {
+	global $ydb;
+	$table = YOURLS_DB_TABLE_USER;
+
+	$username = trim( $username );
+	if ( empty( $username ) )
+		return false;
+	$username = yourls_escape( $username );
+
+	$password = trim( $password );
+	if ( empty( $password ) )
+		return false;
+	if( substr( $password, 0, 7 ) != 'phpass:' ){
+		$hash = yourls_phpass_hash( $password );
+		// PHP would interpret $ as a variable, so replace it in storage.
+		$password = 'phpass:'.str_replace( '$', '!', $hash );
+	}
+	$password = yourls_escape( $password );
+
+	// Make sure the user doesn't already exist
+	if ( false !== yourls_get_user( $username ) )
+		return false;
+
+	yourls_do_action( 'add_user', $username, $password );
+
+	$ydb->query( "INSERT INTO `$table` (`username`, `user_password`) VALUES ('$username', '$password')" );
+	//$ydb->option[ $name ] = $value; --------- not sure what this line does
+	return true;
+}
+
 
 /**
  * Serialize data if needed. Stolen from WordPress

diff --git a/includes/load-yourls.php b/includes/load-yourls.php
@@ -65,6 +65,10 @@
 if( !defined( 'YOURLS_DB_TABLE_LOG' ) )
 	define( 'YOURLS_DB_TABLE_LOG', YOURLS_DB_PREFIX.'log' );
 
+// table to store users and their passwords
+if( !defined( 'YOURLS_DB_TABLE_USER' ) )
+	define( 'YOURLS_DB_TABLE_USER', YOURLS_DB_PREFIX.'user' );
+
 // minimum delay in sec before a same IP can add another URL. Note: logged in users are not throttled down.
 if( !defined( 'YOURLS_FLOOD_DELAY_SECONDS' ) )
 	define( 'YOURLS_FLOOD_DELAY_SECONDS', 15 );
@@ -174,6 +178,10 @@
 	}
 }
 
+// Initialize user/password array (overwrites what's in the config file from the DB if it exists).
+if ( yourls_users_in_database() )
+	$yourls_user_passwords = yourls_get_user_passwords();
+
 // Init all plugins
 yourls_load_plugins();
 yourls_do_action( 'plugins_loaded' );

diff --git a/includes/version.php b/includes/version.php
@@ -3,10 +3,10 @@
  * YOURLS version
  *
  */
-define( 'YOURLS_VERSION', '1.7.1' );
+define( 'YOURLS_VERSION', '1.8.0' );
 
 /**
  * YOURLS DB version. Increments when changes are made to the DB schema, to trigger a DB update
  *
  */
-define( 'YOURLS_DB_VERSION', '482' );
+define( 'YOURLS_DB_VERSION', '483' );
diff --git a/user/config-sample.php b/user/config-sample.php
@@ -53,13 +53,10 @@
 /** A random secret hash used to encrypt cookies. You don't have to remember it, make it long and complicated. Hint: copy from http://yourls.org/cookie **/
 define( 'YOURLS_COOKIEKEY', 'modify this text with something random' );
 
-/** Username(s) and password(s) allowed to access the site. Passwords either in plain text or as encrypted hashes
- ** YOURLS will auto encrypt plain text passwords in this file
- ** Read http://yourls.org/userpassword for more information */
-$yourls_user_passwords = array(
-	'username' => 'password',
-	'username2' => 'password2'	// You can have one or more 'login'=>'password' lines
-	);
+/** Username and password for initial setup. 
+ ** Other users can be added and your password changed through the interface.
+ ** http://yourls.org/userpassword needs to be updated to reflect this */
+$yourls_user_passwords = array('username' => 'password');
 
 /** Debug mode to output some internal information
  ** Default is false for live site. Enable when coding or before submitting a new issue */