Backport Login changes

Password change backport

www/libs/Class.Login.inc

@@ -70,8 +70,17 @@ class login extends db_io
 	private $logout; // logout button
 	private $login_error; // login error code, can be matched to the array login_error_msg, which holds the string
 	private $password_change = false; // if this is set to true, the user can change passwords
+	private $password_change_ok = false; // password change was successful
 	private $pw_change_deny_users = array (); // array of users for which the password change is forbidden
 
+	// if we have password change we need to define some rules
+	private $password_min_length = 8;
+	// can have several regexes, if nothing set, all is ok
+	private $password_valid_chars = array (
+		// '^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,}$',
+		// '^(?.*(\pL)u)(?=.*(\pN)u)(?=.*([^\pL\pN])u).{8,}',
+	);
+
 	// all possible login error conditions
 	private $login_error_msg = array ();
 	// this is an array holding all strings & templates passed from the outside (translation)
@@ -658,6 +667,28 @@ class login extends db_io
 		}
 	}
 
+	// METHOD: loginPasswordChangeValidPassword
+	// PARAMS: the new password
+	// RETURN: true or false
+	// DESC  : checks if the password is in a valid format
+	private function loginPasswordChangeValidPassword($password)
+	{
+		$is_valid_password = true;
+		// check for valid in regex arrays in list
+		if (is_array($this->password_valid_chars)) {
+			foreach ($this->password_valid_chars as $password_valid_chars) {
+				if (!preg_match("/$password_valid_chars/", $password)) {
+					$is_valid_password = false;
+				}
+			}
+		}
+		// check for min length
+		if (strlen($password) < $this->password_min_length) {
+			$is_valid_password = false;
+		}
+		return $is_valid_password;
+	}
+
 	// METHOD: login_password_change
 	// PARAMS: none
 	// RETURN: none
@@ -706,12 +737,20 @@ class login extends db_io
 						$data = 'The new passwords do not match';
 					}
 				}
+				// password shall match to something in minimum length or form
+				if (!$this->login_error) {
+					if (!$this->loingPasswordChangeValidPassword($this->pw_new_password)) {
+						$this->login_error = 205;
+						$data = 'The new password string is not valid';
+					}
+				}
 				// no error change this users password
 				if (!$this->login_error) {
 					// update the user (edit_user_id) with the new password
 					$q = "UPDATE edit_user SET password = '".$this->db_escape_string($this->passwordSet($this->pw_new_password))."' WHERE edit_user_id = ".$edit_user_id;
 					$this->db_exec($q);
 					$data = 'Password change for user "'.$this->pw_username.'"';
+					$this->password_change_ok = true;
 				}
 			} else {
 				// illegal user error
@@ -719,7 +758,7 @@ class login extends db_io
 				$data = 'Illegal user for password change: '.$this->pw_username;
 			}
 			// log this password change attempt
-			$this->write_log($event, $data, $this->login_error, $pw_username, 'OLD PW HANGE');
+			$this->write_log($event, $data, $this->login_error, $pw_username);
 		} // button pressed
 	}
 
@@ -751,6 +790,18 @@ class login extends db_io
 						$html_string_password_change = str_replace("{".$string."}", $data, $html_string_password_change);
 					}
 				}
+				// print error messagae
+				if ($this->login_error) {
+					$html_string_password_change = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string_password_change);
+				} else {
+					$html_string_password_change = str_replace("{ERROR_MSG}", "<br>", $html_string_password_change);
+				}
+				// if pw change action, show the float again
+				if ($this->change_password && !$this->password_change_ok) {
+					$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '<script language="JavaScript">ShowHideDiv(\'pw_change_div\');</script>', $html_string_password_change);
+				} else {
+					$html_string_password_change = str_replace('{PASSWORD_CHANGE_SHOW}', '', $html_string_password_change);
+				}
 				$this->login_template['strings']['PASSWORD_CHANGE_DIV'] = $html_string_password_change;
 			}
 
@@ -764,6 +815,8 @@ class login extends db_io
 			// print error messagae
 			if ($this->login_error) {
 				$html_string = str_replace("{ERROR_MSG}", $this->login_error_msg[$this->login_error]."<br>", $html_string);
+			} elseif ($this->password_change_ok && $this->password_change) {
+				$html_string = str_replace('{ERROR_MSG}', $this->login_error_msg[300].'<br>', $html_string);
 			} else {
 				$html_string = str_replace("{ERROR_MSG}", "<br>", $html_string);
 			}
@@ -802,7 +855,7 @@ class login extends db_io
 				$q = "SELECT username, password FROM edit_user WHERE edit_user_id = ".$this->euid;
 				list($username, $password) = $this->db_return_row($q);
 			} // if euid is set, get username (or try)
-			$this->write_log($event, '', $this->login_error, $username, $password);
+			$this->write_log($event, '', $this->login_error, $username);
 		} // write log under certain settings
 		// now close DB connection
 //			$this->error_msg = $this->_login();
@@ -845,6 +898,8 @@ class login extends db_io
 			"202" => $this->l->__("Fatal Error: <b>Password change - The old password is not correct</b>"),
 			"203" => $this->l->__("Fatal Error: <b>Password change - Please fill out both new password fields</b>"),
 			"204" => $this->l->__("Fatal Error: <b>Password change - The new passwords do not match</b>"),
+			"205" => $this->l->__("Fatal Error: <b>Password change - The new password is not in a valid format</b>"), // we should also not here WHAT is valid
+			"300" => $this->l->__("Success: <b>Password change successful</b>"), // for OK password change
 			"9999" => $this->l->__("Fatal Error: <b>necessary crypt engine could not be found</b>. Login is impossible") // this is bad bad error
 		);
 
@@ -871,6 +926,7 @@ class login extends db_io
 <tr><td></td><td><input type="submit" name="change_password" value="{PASSWORD_CHANGE_BUTTON_VALUE}"><input type="button" name="pw_change" value="{CLOSE}" OnClick="ShowHideDiv('pw_change_div');"></td></tr>
 </table>
 </div>
+{PASSWORD_CHANGE_SHOW}
 EOM;
 		} else {
 			$strings = array_merge($strings, array (
@@ -967,12 +1023,14 @@ EOM;
 	//        error -> if error, write error string (not enougth data, etc)
 	// RETURN: none
 	// DESC  : writes detailed data into the edit user log table (keep log what user does)
-	private function write_log($event, $data, $error = "", $username = "", $password = "")
+	private function write_log($event, $data, $error = '', $username = '')
 	{
 		if ($this->login) {
 				$this->action = 'Login';
 		} elseif ($this->logout) {
 				$this->action = 'Logout';
+		} else {
+			$this->action = '';
 		}
 		$_data_binary = array (
 				'_SESSION' => $_SESSION,
@@ -987,7 +1045,7 @@ EOM;
 		$q .= "(username, password, euid, event_date, event, error, data, data_binary, page, ";
 		$q .= "ip, user_agent, referer, script_name, query_string, server_name, http_host, http_accept, http_accept_charset, http_accept_encoding, session_id, ";
 		$q .= "action, action_id, action_yes, action_flag, action_menu, action_loaded, action_value, action_error) ";
-		$q .= "VALUES ('".$this->db_escape_string($username)."', '".$this->db_escape_string($password)."', ".(($this->euid) ? $this->euid : 'NULL').", ";
+		$q .= "VALUES ('".$this->db_escape_string($username)."', 'PASSWORD', ".(($this->euid) ? $this->euid : 'NULL').", ";
 		$q .= "NOW(), '".$this->db_escape_string($event)."', '".$this->db_escape_string($error)."', '".$this->db_escape_string($data)."', '".$data_binary."', '".$this->page_name."', ";
 		foreach (array('REMOTE_ADDR', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'SCRIPT_FILENAME', 'QUERY_STRING', 'SERVER_NAME', 'HTTP_HOST', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING') as $server_code) {
 			if (array_key_exists($server_code, $_SERVER)) {