From 0c68ebe6522c2d252ae8d7d8c3b8ecc02c3680f5 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Thu, 23 Jun 2022 06:50:07 +0900 Subject: [PATCH] Login\ACL revalidate flow fixes - DB function had wrong column name - Queries in ACL\Login had wrong column name - Renamed from login_user_id_last_login to login_user_id_last_revalidate to make it more clear what this column is - add edit_user admin page output for this column - add phpUnit test case for revalidate is needed and login with next loginUserId is ok again --- 4dev/database/database_create_data.sql | 22 +-- .../edit_user_set_login_user_id_set_date.sql | 4 +- 4dev/database/table/edit_user.sql | 20 +-- .../20220617-edit_user_login_user_id_add.sql | 6 +- 4dev/tests/CoreLibsACLLoginTest.php | 130 +++++++++++++++--- .../CoreLibsACLLogin_database_create_data.sql | 22 +-- www/includes/edit_base.php | 1 + .../table_arrays/array_edit_users.php | 6 + www/lib/CoreLibs/ACL/Login.php | 6 +- 9 files changed, 157 insertions(+), 60 deletions(-) diff --git a/4dev/database/database_create_data.sql b/4dev/database/database_create_data.sql index 3e810cca..af0a5f67 100644 --- a/4dev/database/database_create_data.sql +++ b/4dev/database/database_create_data.sql @@ -270,8 +270,10 @@ BEGIN (OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id) THEN NEW.login_user_id_set_date = NOW(); + NEW.login_user_id_last_revalidate = NOW(); ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN NEW.login_user_id_set_date = NULL; + NEW.login_user_id_last_revalidate = NULL; END IF; RETURN NEW; END; @@ -595,13 +597,13 @@ CREATE TABLE edit_user ( password_reset_time TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested password_reset_uid VARCHAR, -- the uid to access the password reset page -- _GET login id for direct login - login_user_id VARCHAR UNIQUE, -- the login uid, at least 32 chars + login_user_id VARCHAR UNIQUE, -- the loginUserId, at least 32 chars login_user_id_set_date TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set - login_user_id_last_login TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password + login_user_id_last_revalidate TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password login_user_id_valid_from TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid login_user_id_valid_until TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid - login_user_id_revalidate_after INTERVAL, -- user must login to revalidated login id after set days, 0 for forever - login_user_id_locked SMALLINT DEFAULT 0, -- lock for login user id, but still allow normal login + login_user_id_revalidate_after INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever + login_user_id_locked SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login -- additional ACL json block additional_acl JSONB -- additional ACL as JSON string (can be set by other pages) ) INHERITS (edit_generic) WITHOUT OIDS; @@ -630,12 +632,12 @@ COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check'; COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out'; COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter'; -COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'login id was set at what date'; -COMMENT ON COLUMN edit_user.login_user_id_last_login IS 'set when username/password login is done'; -COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'login id is valid from this date, >='; -COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'login id is valid until this date, <='; -COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate, set to 0 for valid forver'; -COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for login id, user can still login normal'; +COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date'; +COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set'; +COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >='; +COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <='; +COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver'; +COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal'; COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format'; -- END: table/edit_user.sql -- START: table/edit_log.sql diff --git a/4dev/database/function/edit_user_set_login_user_id_set_date.sql b/4dev/database/function/edit_user_set_login_user_id_set_date.sql index f6b15f0a..1c3ca2f7 100644 --- a/4dev/database/function/edit_user_set_login_user_id_set_date.sql +++ b/4dev/database/function/edit_user_set_login_user_id_set_date.sql @@ -15,10 +15,10 @@ BEGIN (OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id) THEN NEW.login_user_id_set_date = NOW(); - NEW.login_user_id_revalidate_after = NOW(); + NEW.login_user_id_last_revalidate = NOW(); ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN NEW.login_user_id_set_date = NULL; - NEW.login_user_id_revalidate_after = NULL; + NEW.login_user_id_last_revalidate = NULL; END IF; RETURN NEW; END; diff --git a/4dev/database/table/edit_user.sql b/4dev/database/table/edit_user.sql index 18703156..9f0c86b7 100644 --- a/4dev/database/table/edit_user.sql +++ b/4dev/database/table/edit_user.sql @@ -55,13 +55,13 @@ CREATE TABLE edit_user ( password_reset_time TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested password_reset_uid VARCHAR, -- the uid to access the password reset page -- _GET login id for direct login - login_user_id VARCHAR UNIQUE, -- the login uid, at least 32 chars + login_user_id VARCHAR UNIQUE, -- the loginUserId, at least 32 chars login_user_id_set_date TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set - login_user_id_last_login TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password + login_user_id_last_revalidate TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password login_user_id_valid_from TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid login_user_id_valid_until TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid - login_user_id_revalidate_after INTERVAL, -- user must login to revalidated login id after set days, 0 for forever - login_user_id_locked SMALLINT DEFAULT 0, -- lock for login user id, but still allow normal login + login_user_id_revalidate_after INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever + login_user_id_locked SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login -- additional ACL json block additional_acl JSONB -- additional ACL as JSON string (can be set by other pages) ) INHERITS (edit_generic) WITHOUT OIDS; @@ -90,10 +90,10 @@ COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check'; COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out'; COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter'; -COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'login id was set at what date'; -COMMENT ON COLUMN edit_user.login_user_id_last_login IS 'set when username/password login is done'; -COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'login id is valid from this date, >='; -COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'login id is valid until this date, <='; -COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate, set to 0 for valid forver'; -COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for login id, user can still login normal'; +COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date'; +COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set'; +COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >='; +COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <='; +COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver'; +COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal'; COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format'; diff --git a/4dev/database/update/20220617-edit_user_login_user_id_add.sql b/4dev/database/update/20220617-edit_user_login_user_id_add.sql index 801afb3d..37a9293d 100644 --- a/4dev/database/update/20220617-edit_user_login_user_id_add.sql +++ b/4dev/database/update/20220617-edit_user_login_user_id_add.sql @@ -6,7 +6,7 @@ ALTER TABLE edit_user ADD login_user_id VARCHAR UNIQUE; -- ALTER TABLE edit_user ADD CONSTRAINT edit_user_login_user_id_key UNIQUE (login_user_id); -- when above uid was set ALTER TABLE edit_user ADD login_user_id_set_date TIMESTAMP WITHOUT TIME ZONE; -ALTER TABLE edit_user ADD login_user_id_last_login TIMESTAMP WITHOUT TIME ZONE; +ALTER TABLE edit_user ADD login_user_id_last_revalidate TIMESTAMP WITHOUT TIME ZONE; -- if set, from/until when the above uid is valid ALTER TABLE edit_user ADD login_user_id_valid_from TIMESTAMP WITHOUT TIME ZONE; ALTER TABLE edit_user ADD login_user_id_valid_until TIMESTAMP WITHOUT TIME ZONE; @@ -34,10 +34,10 @@ BEGIN (OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id) THEN NEW.login_user_id_set_date = NOW(); - NEW.login_user_id_revalidate_after = NOW(); + NEW.login_user_id_last_revalidate = NOW(); ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN NEW.login_user_id_set_date = NULL; - NEW.login_user_id_revalidate_after = NULL; + NEW.login_user_id_last_revalidate = NULL; END IF; RETURN NEW; END; diff --git a/4dev/tests/CoreLibsACLLoginTest.php b/4dev/tests/CoreLibsACLLoginTest.php index a35cd8d9..555f9873 100644 --- a/4dev/tests/CoreLibsACLLoginTest.php +++ b/4dev/tests/CoreLibsACLLoginTest.php @@ -167,7 +167,7 @@ final class CoreLibsACLLoginTest extends TestCase // 3: expected error code, 0 for all ok, 3000 for login page view // note that 1000 (no db), 2000 (no session) must be tested too // 4: expected return array, eg login_error code, or other info data to match - return [ + $tests = [ 'load, no login' => [ // error code, only for exceptions [ @@ -290,7 +290,7 @@ final class CoreLibsACLLoginTest extends TestCase ], ], // login: all missing - 'login: all missing' => [ + 'login: failed: all missing' => [ [ 'page_name' => 'edit_users.php', ], @@ -311,7 +311,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: missing username - 'login: missing username' => [ + 'login: failed: missing username' => [ [ 'page_name' => 'edit_users.php', ], @@ -332,7 +332,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: missing password - 'login: missing password' => [ + 'login: failed: missing password' => [ [ 'page_name' => 'edit_users.php', ], @@ -353,7 +353,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: user not found - 'login: user not found' => [ + 'login: failed: user not found' => [ [ 'page_name' => 'edit_users.php', ], @@ -377,7 +377,7 @@ final class CoreLibsACLLoginTest extends TestCase // 9999: not valid password encoding // 1013: normal password failed // 1012: plain password check failed - 'login: invalid password' => [ + 'login: failed: invalid password' => [ [ 'page_name' => 'edit_users.php', ], @@ -399,7 +399,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: ok (but deleted) - 'login: ok, but deleted' => [ + 'login: ok -> failed: but deleted' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -424,7 +424,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: ok (but not enabled) - 'login: ok, but not enabled' => [ + 'login: ok -> failed: but not enabled' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -449,7 +449,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: ok (but locked) - 'login: ok, but locked' => [ + 'login: ok -> failed: but locked' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -474,7 +474,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login: make user get locked strict - 'login: ok, get locked, strict' => [ + 'login: ok -> failed: get locked, strict' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -498,7 +498,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login ok, but in locked period (until) - 'login: ok, but locked period (until:on)' => [ + 'login: ok -> failed: but locked period (until:on)' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -552,7 +552,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login ok, but in locked period (after) - 'login: ok, but locked period (after:on)' => [ + 'login: ok -> failed: but locked period (after:on)' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -577,7 +577,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login ok, but in locked period (until, after) - 'login: ok, but locked period (until:on, after:on)' => [ + 'login: ok -> failed:, but locked period (until:on, after:on)' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -603,7 +603,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // login ok, but login user id locked - 'login: ok, but login user id locked' => [ + 'login: ok -> failed:, but loginUserId locked' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -830,7 +830,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // loginUserId check with revalidate on/off - 'login: ok, but revalidate trigger, _GET loginUserId' => [ + 'login: ok -> failed:, but revalidate trigger, _GET loginUserId' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -886,7 +886,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // loginUserId check with active time from only - 'login: ok, _GET loginUserId, but outside valid (from:on) ' => [ + 'login: ok -> failed:, _GET loginUserId, but outside valid (from:on) ' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -942,7 +942,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // loginUserId check with active time until only - 'login: ok, _GET loginUserId, but outside valid (until:on) ' => [ + 'login: ok -> failed:, _GET loginUserId, but outside valid (until:on) ' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -968,7 +968,7 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // loginUserId check with active time from/until - 'login: ok, _GET loginUserId, but outside valid (from:on,until:on) ' => [ + 'login: ok -> failed:, _GET loginUserId, but outside valid (from:on,until:on) ' => [ [ 'page_name' => 'edit_users.php', 'edit_access_id' => 1, @@ -995,11 +995,52 @@ final class CoreLibsACLLoginTest extends TestCase ] ], // TODO: Test that if we have n day check with login, that after login we can use parameter login again + 'login: ok -> failed -> ok:, _GET loginUserId, but must revalidate, normal login, _GET loginUserId' => [ + [ + 'page_name' => 'edit_users.php', + 'edit_access_id' => 1, + 'edit_access_uid' => 'AdminAccess', + 'edit_access_data' => 'test', + 'base_access' => 'list', + 'page_access' => 'list', + 'test_login_user_id_revalidate_reset' => true, + 'test_login_user_id' => true, + 'test_username' => 'admin', + 'loginUserId' => '1234567890ABCDEFG', + // this error is thrown on first login round + 'login_error' => 1101, + // get post as set sub arrays + 'get' => [ + 'loginUserId' => '1234567890ABCDEFG', + ], + 'post' => [ + 'login_login' => 'Login', + 'login_username' => 'admin', + 'login_password' => 'admin', + ], + ], + // all empty get, post, session + [], + [], + [], + 0, + [ + 'login_error' => 0, + 'admin_flag' => true, + 'check_access' => true, + 'check_access_id' => 1, + 'check_access_data' => 'value', + 'base_access' => true, + 'page_access' => true, + ] + ] // // other: // login check edit access id of ID not null and not in array // login OK, but during action user gets disabled/deleted/etc ]; + + return $tests; } /** @@ -1207,10 +1248,10 @@ final class CoreLibsACLLoginTest extends TestCase if (!empty($mock_settings['test_login_user_id_revalidate_after'])) { $q_sub = ''; if ($mock_settings['test_login_user_id_revalidate_after'] == 'on') { - $q_sub = "login_user_id_last_login = NOW() - '1 day'::interval, " + $q_sub = "login_user_id_last_revalidate = NOW() - '1 day'::interval, " . "login_user_id_revalidate_after = '1 day'::interval "; } else { - $q_sub = "login_user_id_last_login = NOW(), " + $q_sub = "login_user_id_last_revalidate = NOW(), " . "login_user_id_revalidate_after = '6 day'::interval "; } self::$db->dbExec( @@ -1220,6 +1261,50 @@ final class CoreLibsACLLoginTest extends TestCase . self::$db->dbEscapeLiteral($mock_settings['test_username']) ); } + if (!empty($mock_settings['test_login_user_id_revalidate_reset'])) { + // init dates data for revalidate frame, + // set to last revalidate 3 days ago and set revalidate frame to + // three days + self::$db->dbExec( + "UPDATE edit_user SET " + . "login_user_id_last_revalidate = NOW() - '3 day'::interval, " + . "login_user_id_revalidate_after = '3 day'::interval " + . "WHERE LOWER(username) = " + . self::$db->dbEscapeLiteral($mock_settings['test_username']) + ); + $_GET = $mock_settings['get']; + // login with loginUserId -> fail + try { + $login_mock->loginMainCall(); + } catch (\Exception $e) { + $this->assertEquals( + $mock_settings['login_error'], + $login_mock->loginGetLastErrorCode(), + 'loginUserId reset 1: Assert first loginUserId run failes' + ); + } + $_GET = []; + // login with username and password -> reset -> ok + // set _POST data + $_POST = $mock_settings['post']; + try { + $login_mock->loginMainCall(); + $this->assertEquals( + 0, + $login_mock->loginGetLastErrorCode(), + 'loginUserId reset 2: Assert username/password login is successful' + ); + } catch (\Exception $e) { + // if we end up here we have an issue + $this->assertTrue( + false, + 'loginUserId reset 2: FAILED successful login' + ); + } + $_POST = []; + // logut and run normal login with loginUserId + $_GET = $mock_settings['get']; + } if ( !empty($mock_settings['test_login_user_id_valid_from']) || !empty($mock_settings['test_login_user_id_valid_until']) @@ -1544,8 +1629,9 @@ final class CoreLibsACLLoginTest extends TestCase self::$db->dbExec( "UPDATE edit_user SET " . "login_user_id = NULL, " + // below to rows are automatcially reset . "login_user_id_set_date = NULL, " - . "login_user_id_last_login = NULL " + . "login_user_id_last_revalidate = NULL " . "WHERE LOWER(username) = " . self::$db->dbEscapeLiteral($mock_settings['test_username']) ); @@ -1553,7 +1639,7 @@ final class CoreLibsACLLoginTest extends TestCase if (!empty($mock_settings['test_login_user_id_revalidate_after'])) { self::$db->dbExec( "UPDATE edit_user SET " - . "login_user_id_last_login = NULL, " + . "login_user_id_last_revalidate = NULL, " . "login_user_id_revalidate_after = NULL " . "WHERE LOWER(username) = " . self::$db->dbEscapeLiteral($mock_settings['test_username']) diff --git a/4dev/tests/database/CoreLibsACLLogin_database_create_data.sql b/4dev/tests/database/CoreLibsACLLogin_database_create_data.sql index 3e810cca..af0a5f67 100644 --- a/4dev/tests/database/CoreLibsACLLogin_database_create_data.sql +++ b/4dev/tests/database/CoreLibsACLLogin_database_create_data.sql @@ -270,8 +270,10 @@ BEGIN (OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id) THEN NEW.login_user_id_set_date = NOW(); + NEW.login_user_id_last_revalidate = NOW(); ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN NEW.login_user_id_set_date = NULL; + NEW.login_user_id_last_revalidate = NULL; END IF; RETURN NEW; END; @@ -595,13 +597,13 @@ CREATE TABLE edit_user ( password_reset_time TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested password_reset_uid VARCHAR, -- the uid to access the password reset page -- _GET login id for direct login - login_user_id VARCHAR UNIQUE, -- the login uid, at least 32 chars + login_user_id VARCHAR UNIQUE, -- the loginUserId, at least 32 chars login_user_id_set_date TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set - login_user_id_last_login TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password + login_user_id_last_revalidate TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password login_user_id_valid_from TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid login_user_id_valid_until TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid - login_user_id_revalidate_after INTERVAL, -- user must login to revalidated login id after set days, 0 for forever - login_user_id_locked SMALLINT DEFAULT 0, -- lock for login user id, but still allow normal login + login_user_id_revalidate_after INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever + login_user_id_locked SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login -- additional ACL json block additional_acl JSONB -- additional ACL as JSON string (can be set by other pages) ) INHERITS (edit_generic) WITHOUT OIDS; @@ -630,12 +632,12 @@ COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check'; COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out'; COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter'; -COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'login id was set at what date'; -COMMENT ON COLUMN edit_user.login_user_id_last_login IS 'set when username/password login is done'; -COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'login id is valid from this date, >='; -COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'login id is valid until this date, <='; -COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate, set to 0 for valid forver'; -COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for login id, user can still login normal'; +COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date'; +COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set'; +COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >='; +COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <='; +COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver'; +COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal'; COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format'; -- END: table/edit_user.sql -- START: table/edit_log.sql diff --git a/www/includes/edit_base.php b/www/includes/edit_base.php index 93573b8a..b9752834 100644 --- a/www/includes/edit_base.php +++ b/www/includes/edit_base.php @@ -404,6 +404,7 @@ if ($form->my_page_name == 'edit_order') { $elements[] = $form->formCreateElement('password_change_interval'); $elements[] = $form->formCreateElement('login_user_id'); $elements[] = $form->formCreateElement('login_user_id_set_date'); + $elements[] = $form->formCreateElement('login_user_id_last_revalidate'); $elements[] = $form->formCreateElement('login_user_id_locked'); $elements[] = $form->formCreateElement('login_user_id_revalidate_after'); $elements[] = $form->formCreateElement('login_user_id_valid_from'); diff --git a/www/includes/table_arrays/array_edit_users.php b/www/includes/table_arrays/array_edit_users.php index 21b91607..cbe73790 100644 --- a/www/includes/table_arrays/array_edit_users.php +++ b/www/includes/table_arrays/array_edit_users.php @@ -159,6 +159,12 @@ $edit_users = [ 'type' => 'view', 'empty' => '-' ], + 'login_user_id_last_revalidate' => [ + 'output_name' => 'loginUserId last revalidate date', + 'value' => $GLOBALS['login_user_id_last_revalidate'] ?? '', + 'type' => 'view', + 'empty' => '-' + ], 'login_user_id_locked' => [ 'value' => $GLOBALS['login_user_id_locked'] ?? '', 'output_name' => 'loginUserId usage locked', diff --git a/www/lib/CoreLibs/ACL/Login.php b/www/lib/CoreLibs/ACL/Login.php index be69e722..c1b8fbdc 100644 --- a/www/lib/CoreLibs/ACL/Login.php +++ b/www/lib/CoreLibs/ACL/Login.php @@ -552,7 +552,7 @@ class Login // check if user must login . "CASE WHEN eu.login_user_id_revalidate_after IS NOT NULL " . "AND eu.login_user_id_revalidate_after > '0 days'::INTERVAL " - . "AND (eu.login_user_id_last_login + eu.login_user_id_revalidate_after)::DATE " + . "AND (eu.login_user_id_last_revalidate + eu.login_user_id_revalidate_after)::DATE " . "<= NOW()::DATE " . "THEN 1::INT ELSE 0::INT END AS login_user_id_revalidate, " . "eu.login_user_id_locked, " @@ -660,7 +660,7 @@ class Login !empty($this->username) && !empty($this->password) ) { $q = "UPDATE edit_user SET " - . "login_user_id_last_login = NOW() " + . "login_user_id_last_revalidate = NOW() " . "WHERE edit_user_id = " . $this->euid; $this->db->dbExec($q); } @@ -1902,7 +1902,7 @@ EOM; // check if user must login . "CASE WHEN eu.login_user_id_revalidate_after IS NOT NULL " . "AND eu.login_user_id_revalidate_after > '0 days'::INTERVAL " - . "AND eu.login_user_id_last_login + eu.login_user_id_revalidate_after <= NOW()::DATE " + . "AND eu.login_user_id_last_revalidate + eu.login_user_id_revalidate_after <= NOW()::DATE " . "THEN 1::INT ELSE 0::INT END AS login_user_id_revalidate, " . "eu.login_user_id_locked " //