From dbabd8949168d054573ae75b18ec78199335a79e Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Wed, 9 May 2018 15:11:06 +0900 Subject: [PATCH] Backport Login changes Password change backport --- www/libs/Class.Login.inc | 66 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/www/libs/Class.Login.inc b/www/libs/Class.Login.inc index 75a3cf39..e4d5d4ee 100644 --- a/www/libs/Class.Login.inc +++ b/www/libs/Class.Login.inc @@ -70,8 +70,17 @@ class login extends db_io private $logout; // logout button private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string private $password_change = false; // if this is set to true, the user can change passwords + private $password_change_ok = false; // password change was successful private $pw_change_deny_users = array (); // array of users for which the password change is forbidden + // if we have password change we need to define some rules + private $password_min_length = 8; + // can have several regexes, if nothing set, all is ok + private $password_valid_chars = array ( + // '^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,}$', + // '^(?.*(\pL)u)(?=.*(\pN)u)(?=.*([^\pL\pN])u).{8,}', + ); + // all possible login error conditions private $login_error_msg = array (); // this is an array holding all strings & templates passed from the outside (translation) @@ -658,6 +667,28 @@ class login extends db_io } } + // METHOD: loginPasswordChangeValidPassword + // PARAMS: the new password + // RETURN: true or false + // DESC : checks if the password is in a valid format + private function loginPasswordChangeValidPassword($password) + { + $is_valid_password = true; + // check for valid in regex arrays in list + if (is_array($this->password_valid_chars)) { + foreach ($this->password_valid_chars as $password_valid_chars) { + if (!preg_match("/$password_valid_chars/", $password)) { + $is_valid_password = false; + } + } + } + // check for min length + if (strlen($password) < $this->password_min_length) { + $is_valid_password = false; + } + return $is_valid_password; + } + // METHOD: login_password_change // PARAMS: none // RETURN: none @@ -706,12 +737,20 @@ class login extends db_io $data = 'The new passwords do not match'; } } + // password shall match to something in minimum length or form + if (!$this->login_error) { + if (!$this->loingPasswordChangeValidPassword($this->pw_new_password)) { + $this->login_error = 205; + $data = 'The new password string is not valid'; + } + } // no error change this users password if (!$this->login_error) { // update the user (edit_user_id) with the new password $q = "UPDATE edit_user SET password = '".$this->db_escape_string($this->passwordSet($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id; $this->db_exec($q); $data = 'Password change for user "'.$this->pw_username.'"'; + $this->password_change_ok = true; } } else { // illegal user error @@ -719,7 +758,7 @@ class login extends db_io $data = 'Illegal user for password change: '.$this->pw_username; } // log this password change attempt - $this->write_log($event, $data, $this->login_error, $pw_username, 'OLD PW HANGE'); + $this->write_log($event, $data, $this->login_error, $pw_username); } // button pressed } @@ -751,6 +790,18 @@ class login extends db_io $html_string_password_change = str_replace("{".$string."}", $data, $html_string_password_change); } } + // print error messagae + if ($this->login_error) { + $html_string_password_change = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."
", $html_string_password_change); + } else { + $html_string_password_change = str_replace("{ERROR_MSG}", "
", $html_string_password_change); + } + // if pw change action, show the float again + if ($this->change_password && !$this->password_change_ok) { + $html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '', $html_string_password_change); + } else { + $html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '', $html_string_password_change); + } $this->login_template['strings']['PASSWORD_CHANGE_DIV'] = $html_string_password_change; } @@ -764,6 +815,8 @@ class login extends db_io // print error messagae if ($this->login_error) { $html_string = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."
", $html_string); + } elseif ($this->password_change_ok && $this->password_change) { + $html_string = str_replace('{ERROR_MSG}', $this->login_error_msg[300].'
', $html_string); } else { $html_string = str_replace("{ERROR_MSG}", "
", $html_string); } @@ -802,7 +855,7 @@ class login extends db_io $q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid; list($username, $password) = $this->db_return_row($q); } // if euid is set, get username (or try) - $this->write_log($event, '', $this->login_error, $username, $password); + $this->write_log($event, '', $this->login_error, $username); } // write log under certain settings // now close DB connection // $this->error_msg = $this->_login(); @@ -845,6 +898,8 @@ class login extends db_io "202" => $this->l->__("Fatal Error: Password change - The old password is not correct"), "203" => $this->l->__("Fatal Error: Password change - Please fill out both new password fields"), "204" => $this->l->__("Fatal Error: Password change - The new passwords do not match"), + "205" => $this->l->__("Fatal Error: Password change - The new password is not in a valid format"), // we should also not here WHAT is valid + "300" => $this->l->__("Success: Password change successful"), // for OK password change "9999" => $this->l->__("Fatal Error: necessary crypt engine could not be found. Login is impossible") // this is bad bad error ); @@ -871,6 +926,7 @@ class login extends db_io +{PASSWORD_CHANGE_SHOW} EOM; } else { $strings = array_merge($strings, array ( @@ -967,12 +1023,14 @@ EOM; // error -> if error, write error string (not enougth data, etc) // RETURN: none // DESC : writes detailed data into the edit user log table (keep log what user does) - private function write_log($event, $data, $error = "", $username = "", $password = "") + private function write_log($event, $data, $error = '', $username = '') { if ($this->login) { $this->action = 'Login'; } elseif ($this->logout) { $this->action = 'Logout'; + } else { + $this->action = ''; } $_data_binary = array ( '_SESSION' => $_SESSION, @@ -987,7 +1045,7 @@ EOM; $q .= "(username, password, euid, event_date, event, error, data, data_binary, page, "; $q .= "ip, user_agent, referer, script_name, query_string, server_name, http_host, http_accept, http_accept_charset, http_accept_encoding, session_id, "; $q .= "action, action_id, action_yes, action_flag, action_menu, action_loaded, action_value, action_error) "; - $q .= "VALUES ('".$this->db_escape_string($username)."', '".$this->db_escape_string($password)."', ".(($this->euid) ? $this->euid : 'NULL').", "; + $q .= "VALUES ('".$this->db_escape_string($username)."', 'PASSWORD', ".(($this->euid) ? $this->euid : 'NULL').", "; $q .= "NOW(), '".$this->db_escape_string($event)."', '".$this->db_escape_string($error)."', '".$this->db_escape_string($data)."', '".$data_binary."', '".$this->page_name."', "; foreach (array('REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING') as $server_code) { if (array_key_exists($server_code, $_SERVER)) {