CoreLibs/development
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport Login changes

Browse Source 
Password change backport
This commit is contained in:
Clemens Schwaighofer
2018-05-09 15:11:06 +09:00
parent 9842c979b6
commit dbabd89491
1 changed files with 62 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
www/libs/Class.Login.inc
View File

@@ -70,8 +70,17 @@ class login extends db_io
private $logout; // logout button
private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string
private $password_change = false; // if this is set to true, the user can change passwords
private $password_change_ok = false; // password change was successful
private $pw_change_deny_users = array (); // array of users for which the password change is forbidden
// if we have password change we need to define some rules
private $password_min_length = 8;
// can have several regexes, if nothing set, all is ok
private $password_valid_chars = array (
// '^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,}$',
// '^(?.*(\pL)u)(?=.*(\pN)u)(?=.*([^\pL\pN])u).{8,}',
);
// all possible login error conditions
private $login_error_msg = array ();
// this is an array holding all strings & templates passed from the outside (translation)
@@ -658,6 +667,28 @@ class login extends db_io
}
}
// METHOD: loginPasswordChangeValidPassword
// PARAMS: the new password
// RETURN: true or false
// DESC : checks if the password is in a valid format
private function loginPasswordChangeValidPassword($password)
{
$is_valid_password = true;
// check for valid in regex arrays in list
if (is_array($this->password_valid_chars)) {
foreach ($this->password_valid_chars as $password_valid_chars) {
if (!preg_match("/$password_valid_chars/", $password)) {
$is_valid_password = false;
}
}
}
// check for min length
if (strlen($password) < $this->password_min_length) {
$is_valid_password = false;
}
return $is_valid_password;
}
// METHOD: login_password_change
// PARAMS: none
// RETURN: none
@@ -706,12 +737,20 @@ class login extends db_io
$data = 'The new passwords do not match';
}
}
// password shall match to something in minimum length or form
if (!$this->login_error) {
if (!$this->loingPasswordChangeValidPassword($this->pw_new_password)) {
$this->login_error = 205;
$data = 'The new password string is not valid';
}
}
// no error change this users password
if (!$this->login_error) {
// update the user (edit_user_id) with the new password
$q = "UPDATE edit_user SET password = '".$this->db_escape_string($this->passwordSet($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id;
$this->db_exec($q);
$data = 'Password change for user "'.$this->pw_username.'"';
$this->password_change_ok = true;
}
} else {
// illegal user error
@@ -719,7 +758,7 @@ class login extends db_io
$data = 'Illegal user for password change: '.$this->pw_username;
}
// log this password change attempt
$this->write_log($event, $data, $this->login_error, $pw_username, 'OLD PW HANGE');
$this->write_log($event, $data, $this->login_error, $pw_username);
} // button pressed
}
@@ -751,6 +790,18 @@ class login extends db_io
$html_string_password_change = str_replace("{".$string."}", $data, $html_string_password_change);
}
}
// print error messagae
if ($this->login_error) {
$html_string_password_change = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string_password_change);
} else {
$html_string_password_change = str_replace("{ERROR_MSG}", "<br>", $html_string_password_change);
}
// if pw change action, show the float again
if ($this->change_password && !$this->password_change_ok) {
$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '<script language="JavaScript">ShowHideDiv(\'pw_change_div\');</script>', $html_string_password_change);
} else {
$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '', $html_string_password_change);
}
$this->login_template['strings']['PASSWORD_CHANGE_DIV'] = $html_string_password_change;
}
@@ -764,6 +815,8 @@ class login extends db_io
// print error messagae
if ($this->login_error) {
$html_string = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string);
} elseif ($this->password_change_ok && $this->password_change) {
$html_string = str_replace('{ERROR_MSG}', $this->login_error_msg[300].'<br>', $html_string);
} else {
$html_string = str_replace("{ERROR_MSG}", "<br>", $html_string);
}
@@ -802,7 +855,7 @@ class login extends db_io
$q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid;
list($username, $password) = $this->db_return_row($q);
} // if euid is set, get username (or try)
$this->write_log($event, '', $this->login_error, $username, $password);
$this->write_log($event, '', $this->login_error, $username);
} // write log under certain settings
// now close DB connection
// $this->error_msg = $this->_login();
@@ -845,6 +898,8 @@ class login extends db_io
"202" => $this->l->__("Fatal Error: <b>Password change - The old password is not correct</b>"),
"203" => $this->l->__("Fatal Error: <b>Password change - Please fill out both new password fields</b>"),
"204" => $this->l->__("Fatal Error: <b>Password change - The new passwords do not match</b>"),
"205" => $this->l->__("Fatal Error: <b>Password change - The new password is not in a valid format</b>"), // we should also not here WHAT is valid
"300" => $this->l->__("Success: <b>Password change successful</b>"), // for OK password change
"9999" => $this->l->__("Fatal Error: <b>necessary crypt engine could not be found</b>. Login is impossible") // this is bad bad error
);
@@ -871,6 +926,7 @@ class login extends db_io
<tr><td></td><td><input type="submit" name="change_password" value="{PASSWORD_CHANGE_BUTTON_VALUE}"><input type="button" name="pw_change" value="{CLOSE}" OnClick="ShowHideDiv('pw_change_div');"></td></tr>
</table>
</div>
{PASSWORD_CHANGE_SHOW}
EOM;
} else {
$strings = array_merge($strings, array (
@@ -967,12 +1023,14 @@ EOM;
// error -> if error, write error string (not enougth data, etc)
// RETURN: none
// DESC : writes detailed data into the edit user log table (keep log what user does)
private function write_log($event, $data, $error = "", $username = "", $password = "")
private function write_log($event, $data, $error = '', $username = '')
{
if ($this->login) {
$this->action = 'Login';
} elseif ($this->logout) {
$this->action = 'Logout';
} else {
$this->action = '';
}
$_data_binary = array (
'_SESSION' => $_SESSION,
@@ -987,7 +1045,7 @@ EOM;
$q .= "(username, password, euid, event_date, event, error, data, data_binary, page, ";
$q .= "ip, user_agent, referer, script_name, query_string, server_name, http_host, http_accept, http_accept_charset, http_accept_encoding, session_id, ";
$q .= "action, action_id, action_yes, action_flag, action_menu, action_loaded, action_value, action_error) ";
$q .= "VALUES ('".$this->db_escape_string($username)."', '".$this->db_escape_string($password)."', ".(($this->euid) ? $this->euid : 'NULL').", ";
$q .= "VALUES ('".$this->db_escape_string($username)."', 'PASSWORD', ".(($this->euid) ? $this->euid : 'NULL').", ";
$q .= "NOW(), '".$this->db_escape_string($event)."', '".$this->db_escape_string($error)."', '".$this->db_escape_string($data)."', '".$data_binary."', '".$this->page_name."', ";
foreach (array('REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING') as $server_code) {
if (array_key_exists($server_code, $_SERVER)) {