Check a user password

In our company, we are now using ProjeQtor as our Project Management tool.

We also have an accountancy system and we woud like to produce SQL queries extracting data from both ProjecQtor PostgreSql database and the accountancy database. In order not to expose accountancy data to users with access to only certain projects, we would like to prevent access to users based upon the same projects that are granted to them by projeqtor.

To do that, first we need to identify the user who is requesting the data, but we would need to asses his/her username and password (or perhaps their windows username, which is the same in our projeqtor database.

First issue is to understand the hashing algoritm. In resource table, I can see three hashes: password, salt and API Key.

1.- How could I verify a user's pasword (say "userpasswordstring") against the hashes stored in the database?
2.- Is there a way to identify the actual projeqtor user somewhere in the cookie or PHP temp storage ?

Is there any workaround to do this? I am creating a report in a separate php simple application and, to be able to produce a SQL function (on a separate database) to produce a query, I would need to identify the user's username to be able to filter the data he/she has acces to, so that not all the projects are exposed.

Thanks! very useful.

HOwever, if I want to do it from a PostgreSQL server stored procedure, I guess I should be using a SQL statement.

I have followed your pattern (paintextpassword+username+salt), and I have used the DIGEST postgresql function to produce the hash

SELECT ENCODE(digest(CONCAT('projeqtor','.',name,'.', salt),'sha256'),'hex') AS checkedpwd FROM xeresource

and the hashes seem not to be matching.

I am still trying to stract the session user name.

Considering that I am trying to extract the value from a different web page (say httpdocs/test) Which require_once statements would I need to be able to obtain the User object? How would I assign the $_Session user object to the projeqtor user object?