- $authenticated = false;
- $eventResult = Event::handle('CheckPassword', array($nickname, $password, &$authenticated));
- $user = User::staticGet('nickname', $nickname);
- if (is_null($user) || $user === false) {
- //user does not exist
- if($authenticated){
- //a handler said these are valid credentials, so see if a plugin wants to auto register the user
- if(Event::handle('AutoRegister', array($nickname))){
- //no handler registered the user
- return false;
- }else{
- $user = User::staticGet('nickname', $nickname);
- if (is_null($user) || $user === false) {
- common_log(LOG_WARNING, "A plugin handled the AutoRegister event, but did not actually register the user, nickname: $nickname");
- return false;
- }else{
- return $user;
- }
- }
- }else{
- //no handler indicated the credentials were valid, and we know their not valid because the user isn't in the database
- return false;
- }
- } else {
- if($eventResult && ! $authenticated){
- //no handler was authoritative
- if (mb_strlen($password) == 0) {
- // NEVER allow blank passwords, even if they match the DB
- return false;
- }else{
+ $authenticatedUser = false;
+
+ if (Event::handle('StartCheckPassword', array($nickname, $password, &$authenticatedUser))) {
+ $user = User::staticGet('nickname', $nickname);
+ if (!empty($user)) {
+ if (!empty($password)) { // never allow login with blank password