Login\ACL revalidate flow fixes

- DB function had wrong column name
- Queries in ACL\Login had wrong column name
- Renamed from login_user_id_last_login to login_user_id_last_revalidate
  to make it more clear what this column is
- add edit_user admin page output for this column
- add phpUnit test case for revalidate is needed and login with next
  loginUserId is ok again

4dev/database/ORDER

@@ -5,6 +5,7 @@ function/set_edit_generic.sql
 function/edit_access_set_uid.sql
 function/edit_group_set_uid.sql
 function/edit_log_partition_insert.sql
+function/edit_user_set_login_user_id_set_date.sql
 # generic tables
 table/edit_temp_files.sql
 table/edit_generic.sql

4dev/database/database_create_data.sql

@@ -2,7 +2,8 @@
 -- create random string with length X
 
 CREATE FUNCTION random_string(randomLength int)
-RETURNS text AS $$
+RETURNS text AS
+$$
 SELECT array_to_string(
 	ARRAY(
 		SELECT substring(
@@ -14,53 +15,58 @@ SELECT array_to_string(
 	),
 	''
 )
-$$ LANGUAGE SQL
+$$
+LANGUAGE SQL
 RETURNS NULL ON NULL INPUT
-VOLATILE; -- LEAKPROOF;-- END: function/random_string.sql
+VOLATILE; -- LEAKPROOF;
+-- END: function/random_string.sql
 -- START: function/set_edit_generic.sql
 -- adds the created or updated date tags
 
-CREATE OR REPLACE FUNCTION set_edit_generic() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_edit_generic()
-	DECLARE
+RETURNS TRIGGER AS
-		random_length INT = 12; -- that should be long enough
+$$
-	BEGIN
+DECLARE
-		IF TG_OP = ''INSERT'' THEN
+	random_length INT = 12; -- that should be long enough
-			NEW.date_created := ''now'';
+BEGIN
-			NEW.cuid := random_string(random_length);
+	IF TG_OP = 'INSERT' THEN
-		ELSIF TG_OP = ''UPDATE'' THEN
+		NEW.date_created := 'now';
-			NEW.date_updated := ''now'';
+		NEW.cuid := random_string(random_length);
-		END IF;
+	ELSIF TG_OP = 'UPDATE' THEN
-		RETURN NEW;
+		NEW.date_updated := 'now';
-	END;
+	END IF;
-' LANGUAGE 'plpgsql';
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
 -- END: function/set_edit_generic.sql
 -- START: function/edit_access_set_uid.sql
 -- add uid add for edit_access table
 
 CREATE OR REPLACE FUNCTION set_edit_access_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';
 -- END: function/edit_access_set_uid.sql
@@ -69,28 +75,28 @@ $$
 
 CREATE OR REPLACE FUNCTION set_edit_group_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';
 -- END: function/edit_group_set_uid.sql
@@ -246,6 +252,34 @@ END
 $$
 LANGUAGE 'plpgsql';
 -- END: function/edit_log_partition_insert.sql
+-- START: function/edit_user_set_login_user_id_set_date.sql
+-- set edit user login_user_id_set_date if login_user_id is set
+-- NOW() if not empty
+
+CREATE OR REPLACE FUNCTION set_login_user_id_set_date()
+RETURNS TRIGGER AS
+$$
+BEGIN
+	-- if new is not null/empty
+	-- and old one is null or old one different new one
+	-- set NOW()
+	-- if new one is NULL
+	-- set NULL
+	IF
+		NEW.login_user_id IS NOT NULL AND NEW.login_user_id <> '' AND
+		(OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id)
+	THEN
+		NEW.login_user_id_set_date = NOW();
+		NEW.login_user_id_last_revalidate = NOW();
+	ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN
+		NEW.login_user_id_set_date = NULL;
+		NEW.login_user_id_last_revalidate = NULL;
+	END IF;
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
+-- END: function/edit_user_set_login_user_id_set_date.sql
 -- START: table/edit_temp_files.sql
 -- AUTHOR: Clemens Schwaighofer
 -- DATE: 2005/07/08
@@ -526,34 +560,85 @@ CREATE TABLE edit_user (
 	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id INT NOT NULL,
 	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	enabled	SMALLINT NOT NULL DEFAULT 0,
+	-- username/password
-	deleted	SMALLINT NOT NULL DEFAULT 0,
 	username	VARCHAR UNIQUE,
 	password	VARCHAR,
+	-- name block
 	first_name	VARCHAR,
 	last_name	VARCHAR,
 	first_name_furigana	VARCHAR,
 	last_name_furigana	VARCHAR,
+	-- email
+	email	VARCHAR,
+	-- eanbled/deleted flag
+	enabled	SMALLINT NOT NULL DEFAULT 0,
+	deleted	SMALLINT NOT NULL DEFAULT 0,
+	-- general flags
+	strict	SMALLINT DEFAULT 0,
+	locked	SMALLINT DEFAULT 0,
+	protected SMALLINT NOT NULL DEFAULT 0,
+	-- legacy, debug flags
 	debug	SMALLINT NOT NULL DEFAULT 0,
 	db_debug	SMALLINT NOT NULL DEFAULT 0,
-	email	VARCHAR,
+	-- is admin user
-	protected SMALLINT NOT NULL DEFAULT 0,
 	admin	SMALLINT NOT NULL DEFAULT 0,
+	-- last login log
 	last_login	TIMESTAMP WITHOUT TIME ZONE,
+	-- login error
 	login_error_count	INT DEFAULT 0,
 	login_error_date_last	TIMESTAMP WITHOUT TIME ZONE,
 	login_error_date_first	TIMESTAMP WITHOUT TIME ZONE,
-	strict	SMALLINT DEFAULT 0,
+	-- time locked
-	locked	SMALLINT DEFAULT 0,
+	lock_until	TIMESTAMP WITHOUT TIME ZONE,
+	lock_after	TIMESTAMP WITHOUT TIME ZONE,
+	-- password change
 	password_change_date	TIMESTAMP WITHOUT TIME ZONE, -- only when password is first set or changed
 	password_change_interval	INTERVAL, -- null if no change is needed, or d/m/y time interval
 	password_reset_time	TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested
 	password_reset_uid	VARCHAR, -- the uid to access the password reset page
+	-- _GET login id for direct login
+	login_user_id	VARCHAR UNIQUE, -- the loginUserId, at least 32 chars
+	login_user_id_set_date	TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set
+	login_user_id_last_revalidate	TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password
+	login_user_id_valid_from	TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid
+	login_user_id_valid_until	TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid
+	login_user_id_revalidate_after	INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever
+	login_user_id_locked	SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login
+	-- additional ACL json block
 	additional_acl	JSONB -- additional ACL as JSON string (can be set by other pages)
 ) INHERITS (edit_generic) WITHOUT OIDS;
 
+-- create unique index
+-- CREATE UNIQUE INDEX edit_user_login_user_id_key ON edit_user (login_user_id) WHERE login_user_id IS NOT NULL;
+
+COMMENT ON COLUMN edit_user.username IS 'Login username, must set';
+COMMENT ON COLUMN edit_user.password IS 'Login password, must set';
+COMMENT ON COLUMN edit_user.enabled IS 'Login is enabled (master switch)';
+COMMENT ON COLUMN edit_user.deleted IS 'Login is deleted (master switch), overrides all other';
+COMMENT ON COLUMN edit_user.strict IS 'If too many failed logins user will be locked, default off';
+COMMENT ON COLUMN edit_user.locked IS 'Locked from too many wrong password logins';
+COMMENT ON COLUMN edit_user.protected IS 'User can only be chnaged by admin user';
+COMMENT ON COLUMN edit_user.debug IS 'Turn debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.db_debug IS 'Turn DB debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.admin IS 'If set, this user is SUPER admin';
+COMMENT ON COLUMN edit_user.last_login IS 'Last succesfull login tiemstamp';
+COMMENT ON COLUMN edit_user.login_error_count IS 'Number of failed logins, reset on successful login';
+COMMENT ON COLUMN edit_user.login_error_date_last IS 'Last login error date';
+COMMENT ON COLUMN edit_user.login_error_date_first IS 'First login error date, reset on successfull login';
+COMMENT ON COLUMN edit_user.lock_until IS 'Account is locked until this date, <';
+COMMENT ON COLUMN edit_user.lock_after IS 'Account is locked after this date, >';
+COMMENT ON COLUMN edit_user.password_change_date IS 'Password was changed on';
+COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the password has to be changed';
 COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check';
-COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid';
+COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out';
+COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter';
+COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date';
+COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set';
+COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >=';
+COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <=';
+COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver';
+COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal';
+COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format';
 -- END: table/edit_user.sql
 -- START: table/edit_log.sql
 -- AUTHOR: Clemens Schwaighofer
@@ -774,6 +859,11 @@ FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
 CREATE TRIGGER trg_edit_user
 BEFORE INSERT OR UPDATE ON edit_user
 FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
+
+-- DROP TRIGGER IF EXISTS trg_edit_user_set_login_user_id_set_date ON edit_user;
+CREATE TRIGGER trg_edit_user_set_login_user_id_set_date
+BEFORE INSERT OR UPDATE ON edit_user
+FOR EACH ROW EXECUTE PROCEDURE set_login_user_id_set_date();
 -- END: trigger/trg_edit_user.sql
 -- START: trigger/trg_edit_visible_group.sql
 -- DROP TRIGGER IF EXISTS trg_edit_visible_group ON edit_visible_group;

4dev/database/function/edit_access_set_uid.sql

@@ -2,27 +2,27 @@
 
 CREATE OR REPLACE FUNCTION set_edit_access_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';

4dev/database/function/edit_group_set_uid.sql

@@ -2,27 +2,27 @@
 
 CREATE OR REPLACE FUNCTION set_edit_group_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';

4dev/database/function/edit_user_set_login_user_id_set_date.sql

@@ -0,0 +1,26 @@
+-- set edit user login_user_id_set_date if login_user_id is set
+-- NOW() if not empty
+
+CREATE OR REPLACE FUNCTION set_login_user_id_set_date()
+RETURNS TRIGGER AS
+$$
+BEGIN
+	-- if new is not null/empty
+	-- and old one is null or old one different new one
+	-- set NOW()
+	-- if new one is NULL
+	-- set NULL
+	IF
+		NEW.login_user_id IS NOT NULL AND NEW.login_user_id <> '' AND
+		(OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id)
+	THEN
+		NEW.login_user_id_set_date = NOW();
+		NEW.login_user_id_last_revalidate = NOW();
+	ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN
+		NEW.login_user_id_set_date = NULL;
+		NEW.login_user_id_last_revalidate = NULL;
+	END IF;
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';

4dev/database/function/random_string.sql

@@ -1,7 +1,8 @@
 -- create random string with length X
 
 CREATE FUNCTION random_string(randomLength int)
-RETURNS text AS $$
+RETURNS text AS
+$$
 SELECT array_to_string(
 	ARRAY(
 		SELECT substring(
@@ -13,6 +14,7 @@ SELECT array_to_string(
 	),
 	''
 )
-$$ LANGUAGE SQL
+$$
+LANGUAGE SQL
 RETURNS NULL ON NULL INPUT
-VOLATILE; -- LEAKPROOF;
+VOLATILE; -- LEAKPROOF;

4dev/database/function/set_date.sql

@@ -1,12 +1,15 @@
 -- adds the created or updated date tags
 
-CREATE OR REPLACE FUNCTION set_date() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_date()
-	BEGIN
+RETURNS TRIGGER AS
-		IF TG_OP = ''INSERT'' THEN
+$$
-			NEW.date_created := ''now'';
+BEGIN
-		ELSIF TG_OP = ''UPDATE'' THEN
+	IF TG_OP = 'INSERT' THEN
-			NEW.date_updated := ''now'';
+		NEW.date_created := 'now';
-		END IF;
+	ELSIF TG_OP = 'UPDATE' THEN
-		RETURN NEW;
+		NEW.date_updated := 'now';
-	END;
+	END IF;
-' LANGUAGE 'plpgsql';
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';

4dev/database/function/set_edit_generic.sql

@@ -1,15 +1,18 @@
 -- adds the created or updated date tags
 
-CREATE OR REPLACE FUNCTION set_edit_generic() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_edit_generic()
-	DECLARE
+RETURNS TRIGGER AS
-		random_length INT = 12; -- that should be long enough
+$$
-	BEGIN
+DECLARE
-		IF TG_OP = ''INSERT'' THEN
+	random_length INT = 12; -- that should be long enough
-			NEW.date_created := ''now'';
+BEGIN
-			NEW.cuid := random_string(random_length);
+	IF TG_OP = 'INSERT' THEN
-		ELSIF TG_OP = ''UPDATE'' THEN
+		NEW.date_created := 'now';
-			NEW.date_updated := ''now'';
+		NEW.cuid := random_string(random_length);
-		END IF;
+	ELSIF TG_OP = 'UPDATE' THEN
-		RETURN NEW;
+		NEW.date_updated := 'now';
-	END;
+	END IF;
-' LANGUAGE 'plpgsql';
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';

4dev/database/function/set_generic_uid.sql

@@ -1,18 +1,21 @@
 -- set generic with date and uid combined
 -- don't use with set_generic/set_uid together
 
-CREATE OR REPLACE FUNCTION set_generic() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_generic()
-	DECLARE
+RETURNS TRIGGER AS
-		random_length INT = 32; -- long for massive data
+$$
-	BEGIN
+DECLARE
-		IF TG_OP = ''INSERT'' THEN
+	random_length INT = 32; -- long for massive data
-			NEW.date_created := ''now'';
+BEGIN
-			IF NEW.uid IS NULL THEN
+	IF TG_OP = 'INSERT' THEN
-				NEW.uid := random_string(random_length);
+		NEW.date_created := 'now';
-			END IF;
+		IF NEW.uid IS NULL THEN
-		ELSIF TG_OP = ''UPDATE'' THEN
+			NEW.uid := random_string(random_length);
-			NEW.date_updated := ''now'';
 		END IF;
-		RETURN NEW;
+	ELSIF TG_OP = 'UPDATE' THEN
-	END;
+		NEW.date_updated := 'now';
-' LANGUAGE 'plpgsql';
+	END IF;
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';

4dev/database/function/set_uid.sql

@@ -1,12 +1,15 @@
 -- adds the created or updated date tags
 
-CREATE OR REPLACE FUNCTION set_uid() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_uid()
-	DECLARE
+RETURNS TRIGGER AS
-		random_length INT = 32; -- that should be long enough
+$$
-	BEGIN
+DECLARE
-		IF TG_OP = ''INSERT'' THEN
+	random_length INT = 32; -- that should be long enough
-			NEW.uid := random_string(random_length);
+BEGIN
-		END IF;
+	IF TG_OP = 'INSERT' THEN
-		RETURN NEW;
+		NEW.uid := random_string(random_length);
-	END;
+	END IF;
-' LANGUAGE 'plpgsql';
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';

4dev/database/function/update_function.sql

@@ -2,15 +2,18 @@
 
 -- OLD, DEPRECATED, use set_generic.sql
 
--- CREATE OR REPLACE FUNCTION set_generic() RETURNS TRIGGER AS '
+-- CREATE OR REPLACE FUNCTION set_generic()
--- 	BEGIN
+-- RETURNS TRIGGER AS
--- 		IF TG_OP = ''INSERT'' THEN
+-- $$
--- 			NEW.date_created := clock_timestamp();
+-- BEGIN
--- 			NEW.user_created := current_user;
+-- 	IF TG_OP = 'INSERT' THEN
--- 		ELSIF TG_OP = ''UPDATE'' THEN
+-- 		NEW.date_created := clock_timestamp();
--- 			NEW.date_updated := clock_timestamp();
+-- 		NEW.user_created := current_user;
--- 			NEW.user_updated := current_user;
+-- 	ELSIF TG_OP = 'UPDATE' THEN
--- 		END IF;
+-- 		NEW.date_updated := clock_timestamp();
--- 		RETURN NEW;
+-- 		NEW.user_updated := current_user;
--- 	END;
+-- 	END IF;
--- ' LANGUAGE 'plpgsql';
+-- 	RETURN NEW;
+-- END;
+-- $$
+-- LANGUAGE 'plpgsql';

4dev/database/table/edit_user.sql

@@ -18,31 +18,82 @@ CREATE TABLE edit_user (
 	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id INT NOT NULL,
 	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	enabled	SMALLINT NOT NULL DEFAULT 0,
+	-- username/password
-	deleted	SMALLINT NOT NULL DEFAULT 0,
 	username	VARCHAR UNIQUE,
 	password	VARCHAR,
+	-- name block
 	first_name	VARCHAR,
 	last_name	VARCHAR,
 	first_name_furigana	VARCHAR,
 	last_name_furigana	VARCHAR,
+	-- email
+	email	VARCHAR,
+	-- eanbled/deleted flag
+	enabled	SMALLINT NOT NULL DEFAULT 0,
+	deleted	SMALLINT NOT NULL DEFAULT 0,
+	-- general flags
+	strict	SMALLINT DEFAULT 0,
+	locked	SMALLINT DEFAULT 0,
+	protected SMALLINT NOT NULL DEFAULT 0,
+	-- legacy, debug flags
 	debug	SMALLINT NOT NULL DEFAULT 0,
 	db_debug	SMALLINT NOT NULL DEFAULT 0,
-	email	VARCHAR,
+	-- is admin user
-	protected SMALLINT NOT NULL DEFAULT 0,
 	admin	SMALLINT NOT NULL DEFAULT 0,
+	-- last login log
 	last_login	TIMESTAMP WITHOUT TIME ZONE,
+	-- login error
 	login_error_count	INT DEFAULT 0,
 	login_error_date_last	TIMESTAMP WITHOUT TIME ZONE,
 	login_error_date_first	TIMESTAMP WITHOUT TIME ZONE,
-	strict	SMALLINT DEFAULT 0,
+	-- time locked
-	locked	SMALLINT DEFAULT 0,
+	lock_until	TIMESTAMP WITHOUT TIME ZONE,
+	lock_after	TIMESTAMP WITHOUT TIME ZONE,
+	-- password change
 	password_change_date	TIMESTAMP WITHOUT TIME ZONE, -- only when password is first set or changed
 	password_change_interval	INTERVAL, -- null if no change is needed, or d/m/y time interval
 	password_reset_time	TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested
 	password_reset_uid	VARCHAR, -- the uid to access the password reset page
+	-- _GET login id for direct login
+	login_user_id	VARCHAR UNIQUE, -- the loginUserId, at least 32 chars
+	login_user_id_set_date	TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set
+	login_user_id_last_revalidate	TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password
+	login_user_id_valid_from	TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid
+	login_user_id_valid_until	TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid
+	login_user_id_revalidate_after	INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever
+	login_user_id_locked	SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login
+	-- additional ACL json block
 	additional_acl	JSONB -- additional ACL as JSON string (can be set by other pages)
 ) INHERITS (edit_generic) WITHOUT OIDS;
 
+-- create unique index
+-- CREATE UNIQUE INDEX edit_user_login_user_id_key ON edit_user (login_user_id) WHERE login_user_id IS NOT NULL;
+
+COMMENT ON COLUMN edit_user.username IS 'Login username, must set';
+COMMENT ON COLUMN edit_user.password IS 'Login password, must set';
+COMMENT ON COLUMN edit_user.enabled IS 'Login is enabled (master switch)';
+COMMENT ON COLUMN edit_user.deleted IS 'Login is deleted (master switch), overrides all other';
+COMMENT ON COLUMN edit_user.strict IS 'If too many failed logins user will be locked, default off';
+COMMENT ON COLUMN edit_user.locked IS 'Locked from too many wrong password logins';
+COMMENT ON COLUMN edit_user.protected IS 'User can only be chnaged by admin user';
+COMMENT ON COLUMN edit_user.debug IS 'Turn debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.db_debug IS 'Turn DB debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.admin IS 'If set, this user is SUPER admin';
+COMMENT ON COLUMN edit_user.last_login IS 'Last succesfull login tiemstamp';
+COMMENT ON COLUMN edit_user.login_error_count IS 'Number of failed logins, reset on successful login';
+COMMENT ON COLUMN edit_user.login_error_date_last IS 'Last login error date';
+COMMENT ON COLUMN edit_user.login_error_date_first IS 'First login error date, reset on successfull login';
+COMMENT ON COLUMN edit_user.lock_until IS 'Account is locked until this date, <';
+COMMENT ON COLUMN edit_user.lock_after IS 'Account is locked after this date, >';
+COMMENT ON COLUMN edit_user.password_change_date IS 'Password was changed on';
+COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the password has to be changed';
 COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check';
-COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid';
+COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out';
+COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter';
+COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date';
+COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set';
+COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >=';
+COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <=';
+COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver';
+COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal';
+COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format';

4dev/database/trigger/trg_edit_user.sql

@@ -2,3 +2,8 @@
 CREATE TRIGGER trg_edit_user
 BEFORE INSERT OR UPDATE ON edit_user
 FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
+
+-- DROP TRIGGER IF EXISTS trg_edit_user_set_login_user_id_set_date ON edit_user;
+CREATE TRIGGER trg_edit_user_set_login_user_id_set_date
+BEFORE INSERT OR UPDATE ON edit_user
+FOR EACH ROW EXECUTE PROCEDURE set_login_user_id_set_date();

4dev/database/update/20220617-edit_user_login_user_id_add.sql

@@ -0,0 +1,51 @@
+-- 2022/6/17 update edit_user with login uid
+
+-- the login uid, at least 32 chars
+ALTER TABLE edit_user ADD login_user_id VARCHAR UNIQUE;
+-- CREATE UNIQUE INDEX edit_user_login_user_id_key ON edit_user (login_user_id) WHERE login_user_id IS NOT NULL;
+-- ALTER TABLE edit_user ADD CONSTRAINT edit_user_login_user_id_key UNIQUE (login_user_id);
+-- when above uid was set
+ALTER TABLE edit_user ADD login_user_id_set_date TIMESTAMP WITHOUT TIME ZONE;
+ALTER TABLE edit_user ADD login_user_id_last_revalidate TIMESTAMP WITHOUT TIME ZONE;
+-- if set, from/until when the above uid is valid
+ALTER TABLE edit_user ADD login_user_id_valid_from TIMESTAMP WITHOUT TIME ZONE;
+ALTER TABLE edit_user ADD login_user_id_valid_until TIMESTAMP WITHOUT TIME ZONE;
+-- user must login to revalidated login id after set days, 0 for forever
+ALTER TABLE edit_user ADD login_user_id_revalidate_after INTERVAL;
+-- lock for login user id, but still allow normal login
+ALTER TABLE edit_user ADD login_user_id_locked SMALLINT NOT NULL DEFAULT 0;
+
+-- disable login before date
+ALTER TABLE edit_user ADD lock_until TIMESTAMP WITHOUT TIME ZONE;
+-- disable login after date
+ALTER TABLE edit_user ADD lock_after TIMESTAMP WITHOUT TIME ZONE;
+
+CREATE OR REPLACE FUNCTION set_login_user_id_set_date()
+RETURNS TRIGGER AS
+$$
+BEGIN
+	-- if new is not null/empty
+	-- and old one is null or old one different new one
+	-- set NOW()
+	-- if new one is NULL
+	-- set NULL
+	IF
+		NEW.login_user_id IS NOT NULL AND NEW.login_user_id <> '' AND
+		(OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id)
+	THEN
+		NEW.login_user_id_set_date = NOW();
+		NEW.login_user_id_last_revalidate = NOW();
+	ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN
+		NEW.login_user_id_set_date = NULL;
+		NEW.login_user_id_last_revalidate = NULL;
+	END IF;
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
+
+CREATE TRIGGER trg_edit_user_set_login_user_id_set_date
+BEFORE INSERT OR UPDATE ON edit_user
+FOR EACH ROW EXECUTE PROCEDURE set_login_user_id_set_date();
+
+-- __END__

4dev/tests/CoreLibsACLLogin_database_prepare.sh

@@ -7,6 +7,7 @@
 # PARAMETER 2: db user WHO MUST BE ABLE TO CREATE A DATABASE
 # PARAMETER 3: db name
 # PARAMETER 4: db host
+# PARAMETER 5: print out for testing
 
 load_sql="${1}";
 # abort with 1 if we cannot find the file
@@ -34,8 +35,13 @@ if [ $? -ne 0 ]; then
 	echo 4;
 	exit 4;
 fi;
-# load data (redirect ALL error to null), on error exit with 5
+# if error 5 thrown, test with enabled below
-psql -U ${db_user} -h ${db_host} -f ${load_sql} ${db_name} 2>&1 1>/dev/null 2>/dev/null;
+if [ ! -z "${5}" ]; then
+	psql -U ${db_user} -h ${db_host} -f ${load_sql} ${db_name};
+else
+	# load data (redirect ALL error to null), on error exit with 5
+	psql -U ${db_user} -h ${db_host} -f ${load_sql} ${db_name} 2>&1 1>/dev/null 2>/dev/null;
+fi;
 if [ $? -ne 0 ]; then
 	echo 5;
 	exit 5;

4dev/tests/database/CoreLibsACLLogin_database_create_data.sql

@@ -2,7 +2,8 @@
 -- create random string with length X
 
 CREATE FUNCTION random_string(randomLength int)
-RETURNS text AS $$
+RETURNS text AS
+$$
 SELECT array_to_string(
 	ARRAY(
 		SELECT substring(
@@ -14,53 +15,58 @@ SELECT array_to_string(
 	),
 	''
 )
-$$ LANGUAGE SQL
+$$
+LANGUAGE SQL
 RETURNS NULL ON NULL INPUT
-VOLATILE; -- LEAKPROOF;-- END: function/random_string.sql
+VOLATILE; -- LEAKPROOF;
+-- END: function/random_string.sql
 -- START: function/set_edit_generic.sql
 -- adds the created or updated date tags
 
-CREATE OR REPLACE FUNCTION set_edit_generic() RETURNS TRIGGER AS '
+CREATE OR REPLACE FUNCTION set_edit_generic()
-	DECLARE
+RETURNS TRIGGER AS
-		random_length INT = 12; -- that should be long enough
+$$
-	BEGIN
+DECLARE
-		IF TG_OP = ''INSERT'' THEN
+	random_length INT = 12; -- that should be long enough
-			NEW.date_created := ''now'';
+BEGIN
-			NEW.cuid := random_string(random_length);
+	IF TG_OP = 'INSERT' THEN
-		ELSIF TG_OP = ''UPDATE'' THEN
+		NEW.date_created := 'now';
-			NEW.date_updated := ''now'';
+		NEW.cuid := random_string(random_length);
-		END IF;
+	ELSIF TG_OP = 'UPDATE' THEN
-		RETURN NEW;
+		NEW.date_updated := 'now';
-	END;
+	END IF;
-' LANGUAGE 'plpgsql';
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
 -- END: function/set_edit_generic.sql
 -- START: function/edit_access_set_uid.sql
 -- add uid add for edit_access table
 
 CREATE OR REPLACE FUNCTION set_edit_access_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_access t WHERE edit_access_id = NEW.edit_access_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';
 -- END: function/edit_access_set_uid.sql
@@ -69,28 +75,28 @@ $$
 
 CREATE OR REPLACE FUNCTION set_edit_group_uid() RETURNS TRIGGER AS
 $$
-	DECLARE
+DECLARE
-		myrec RECORD;
+	myrec RECORD;
-		v_uid VARCHAR;
+	v_uid VARCHAR;
-	BEGIN
+BEGIN
-		-- skip if NEW.name is not set
+	-- skip if NEW.name is not set
-		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+	IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
-			-- use NEW.name as base, remove all spaces
+		-- use NEW.name as base, remove all spaces
-			-- name data is already unique, so we do not need to worry about this here
+		-- name data is already unique, so we do not need to worry about this here
-			v_uid := REPLACE(NEW.name, ' ', '');
+		v_uid := REPLACE(NEW.name, ' ', '');
-			IF TG_OP = 'INSERT' THEN
+		IF TG_OP = 'INSERT' THEN
-				-- always set
+			-- always set
+			NEW.uid := v_uid;
+		ELSIF TG_OP = 'UPDATE' THEN
+			-- check if not set, then set
+			SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
+			IF FOUND THEN
 				NEW.uid := v_uid;
-			ELSIF TG_OP = 'UPDATE' THEN
-				-- check if not set, then set
-				SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
-				IF FOUND THEN
-					NEW.uid := v_uid;
-				END IF;
 			END IF;
 		END IF;
-		RETURN NEW;
+	END IF;
-	END;
+	RETURN NEW;
+END;
 $$
 	LANGUAGE 'plpgsql';
 -- END: function/edit_group_set_uid.sql
@@ -246,6 +252,34 @@ END
 $$
 LANGUAGE 'plpgsql';
 -- END: function/edit_log_partition_insert.sql
+-- START: function/edit_user_set_login_user_id_set_date.sql
+-- set edit user login_user_id_set_date if login_user_id is set
+-- NOW() if not empty
+
+CREATE OR REPLACE FUNCTION set_login_user_id_set_date()
+RETURNS TRIGGER AS
+$$
+BEGIN
+	-- if new is not null/empty
+	-- and old one is null or old one different new one
+	-- set NOW()
+	-- if new one is NULL
+	-- set NULL
+	IF
+		NEW.login_user_id IS NOT NULL AND NEW.login_user_id <> '' AND
+		(OLD.login_user_id IS NULL OR NEW.login_user_id <> OLD.login_user_id)
+	THEN
+		NEW.login_user_id_set_date = NOW();
+		NEW.login_user_id_last_revalidate = NOW();
+	ELSIF NEW.login_user_id IS NULL OR NEW.login_user_id = '' THEN
+		NEW.login_user_id_set_date = NULL;
+		NEW.login_user_id_last_revalidate = NULL;
+	END IF;
+	RETURN NEW;
+END;
+$$
+LANGUAGE 'plpgsql';
+-- END: function/edit_user_set_login_user_id_set_date.sql
 -- START: table/edit_temp_files.sql
 -- AUTHOR: Clemens Schwaighofer
 -- DATE: 2005/07/08
@@ -526,34 +560,85 @@ CREATE TABLE edit_user (
 	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id INT NOT NULL,
 	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	enabled	SMALLINT NOT NULL DEFAULT 0,
+	-- username/password
-	deleted	SMALLINT NOT NULL DEFAULT 0,
 	username	VARCHAR UNIQUE,
 	password	VARCHAR,
+	-- name block
 	first_name	VARCHAR,
 	last_name	VARCHAR,
 	first_name_furigana	VARCHAR,
 	last_name_furigana	VARCHAR,
+	-- email
+	email	VARCHAR,
+	-- eanbled/deleted flag
+	enabled	SMALLINT NOT NULL DEFAULT 0,
+	deleted	SMALLINT NOT NULL DEFAULT 0,
+	-- general flags
+	strict	SMALLINT DEFAULT 0,
+	locked	SMALLINT DEFAULT 0,
+	protected SMALLINT NOT NULL DEFAULT 0,
+	-- legacy, debug flags
 	debug	SMALLINT NOT NULL DEFAULT 0,
 	db_debug	SMALLINT NOT NULL DEFAULT 0,
-	email	VARCHAR,
+	-- is admin user
-	protected SMALLINT NOT NULL DEFAULT 0,
 	admin	SMALLINT NOT NULL DEFAULT 0,
+	-- last login log
 	last_login	TIMESTAMP WITHOUT TIME ZONE,
+	-- login error
 	login_error_count	INT DEFAULT 0,
 	login_error_date_last	TIMESTAMP WITHOUT TIME ZONE,
 	login_error_date_first	TIMESTAMP WITHOUT TIME ZONE,
-	strict	SMALLINT DEFAULT 0,
+	-- time locked
-	locked	SMALLINT DEFAULT 0,
+	lock_until	TIMESTAMP WITHOUT TIME ZONE,
+	lock_after	TIMESTAMP WITHOUT TIME ZONE,
+	-- password change
 	password_change_date	TIMESTAMP WITHOUT TIME ZONE, -- only when password is first set or changed
 	password_change_interval	INTERVAL, -- null if no change is needed, or d/m/y time interval
 	password_reset_time	TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested
 	password_reset_uid	VARCHAR, -- the uid to access the password reset page
+	-- _GET login id for direct login
+	login_user_id	VARCHAR UNIQUE, -- the loginUserId, at least 32 chars
+	login_user_id_set_date	TIMESTAMP WITHOUT TIME ZONE, -- when above uid was set
+	login_user_id_last_revalidate	TIMESTAMP WITHOUT TIME ZONE, -- when the last login was done with user name and password
+	login_user_id_valid_from	TIMESTAMP WITHOUT TIME ZONE, -- if set, from when the above uid is valid
+	login_user_id_valid_until	TIMESTAMP WITHOUT TIME ZONE, -- if set, until when the above uid is valid
+	login_user_id_revalidate_after	INTERVAL, -- user must login to revalidated loginUserId after set days, 0 for forever
+	login_user_id_locked	SMALLINT DEFAULT 0, -- lock for loginUserId, but still allow normal login
+	-- additional ACL json block
 	additional_acl	JSONB -- additional ACL as JSON string (can be set by other pages)
 ) INHERITS (edit_generic) WITHOUT OIDS;
 
+-- create unique index
+-- CREATE UNIQUE INDEX edit_user_login_user_id_key ON edit_user (login_user_id) WHERE login_user_id IS NOT NULL;
+
+COMMENT ON COLUMN edit_user.username IS 'Login username, must set';
+COMMENT ON COLUMN edit_user.password IS 'Login password, must set';
+COMMENT ON COLUMN edit_user.enabled IS 'Login is enabled (master switch)';
+COMMENT ON COLUMN edit_user.deleted IS 'Login is deleted (master switch), overrides all other';
+COMMENT ON COLUMN edit_user.strict IS 'If too many failed logins user will be locked, default off';
+COMMENT ON COLUMN edit_user.locked IS 'Locked from too many wrong password logins';
+COMMENT ON COLUMN edit_user.protected IS 'User can only be chnaged by admin user';
+COMMENT ON COLUMN edit_user.debug IS 'Turn debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.db_debug IS 'Turn DB debug flag on (legacy)';
+COMMENT ON COLUMN edit_user.admin IS 'If set, this user is SUPER admin';
+COMMENT ON COLUMN edit_user.last_login IS 'Last succesfull login tiemstamp';
+COMMENT ON COLUMN edit_user.login_error_count IS 'Number of failed logins, reset on successful login';
+COMMENT ON COLUMN edit_user.login_error_date_last IS 'Last login error date';
+COMMENT ON COLUMN edit_user.login_error_date_first IS 'First login error date, reset on successfull login';
+COMMENT ON COLUMN edit_user.lock_until IS 'Account is locked until this date, <';
+COMMENT ON COLUMN edit_user.lock_after IS 'Account is locked after this date, >';
+COMMENT ON COLUMN edit_user.password_change_date IS 'Password was changed on';
+COMMENT ON COLUMN edit_user.password_change_interval IS 'After how many days the password has to be changed';
 COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check';
-COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid';
+COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid, one time, invalid after reset successful or time out';
+COMMENT ON COLUMN edit_user.login_user_id IS 'Min 32 character UID to be used to login without password. Via GET/POST parameter';
+COMMENT ON COLUMN edit_user.login_user_id_set_date IS 'loginUserId was set at what date';
+COMMENT ON COLUMN edit_user.login_user_id_last_revalidate IS 'set when username/password login is done and loginUserId is set';
+COMMENT ON COLUMN edit_user.login_user_id_valid_from IS 'loginUserId is valid from this date, >=';
+COMMENT ON COLUMN edit_user.login_user_id_valid_until IS 'loginUserId is valid until this date, <=';
+COMMENT ON COLUMN edit_user.login_user_id_revalidate_after IS 'If set to a number greater 0 then user must login after given amount of days to revalidate the loginUserId, set to 0 for valid forver';
+COMMENT ON COLUMN edit_user.login_user_id_locked IS 'A separte lock flag for loginUserId, user can still login normal';
+COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List stored in JSON format';
 -- END: table/edit_user.sql
 -- START: table/edit_log.sql
 -- AUTHOR: Clemens Schwaighofer
@@ -774,6 +859,11 @@ FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
 CREATE TRIGGER trg_edit_user
 BEFORE INSERT OR UPDATE ON edit_user
 FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
+
+-- DROP TRIGGER IF EXISTS trg_edit_user_set_login_user_id_set_date ON edit_user;
+CREATE TRIGGER trg_edit_user_set_login_user_id_set_date
+BEFORE INSERT OR UPDATE ON edit_user
+FOR EACH ROW EXECUTE PROCEDURE set_login_user_id_set_date();
 -- END: trigger/trg_edit_user.sql
 -- START: trigger/trg_edit_visible_group.sql
 -- DROP TRIGGER IF EXISTS trg_edit_visible_group ON edit_visible_group;

www/admin/edit_groups_test.php

@@ -0,0 +1,61 @@
+<?php // phpcs:ignore PSR1.Files.SideEffects
+
+// this is an empty test page for login tests only
+
+declare(strict_types=1);
+
+$DEBUG_ALL_OVERRIDE = false; // set to 1 to debug on live/remote server locations
+$DEBUG_ALL = true;
+$PRINT_ALL = true;
+$DB_DEBUG = true;
+
+if ($DEBUG_ALL) {
+	error_reporting(E_ALL | E_STRICT | E_ERROR | E_WARNING | E_PARSE | E_COMPILE_ERROR);
+}
+
+ob_start();
+
+// basic class test file
+define('USE_DATABASE', true);
+// sample config
+require 'config.php';
+// define log file id
+$LOG_FILE_ID = 'classTest';
+$SET_SESSION_NAME = EDIT_SESSION_NAME;
+
+// init login & backend class
+$session = new CoreLibs\Create\Session($SET_SESSION_NAME);
+$log = new CoreLibs\Debug\Logging([
+	'log_folder' => BASE . LOG,
+	'file_id' => $LOG_FILE_ID,
+	// add file date
+	'print_file_date' => true,
+	// set debug and print flags
+	'debug_all' => $DEBUG_ALL ?? false,
+	'echo_all' => $ECHO_ALL ?? false,
+	'print_all' => $PRINT_ALL ?? false,
+]);
+$db = new CoreLibs\DB\IO(DB_CONFIG, $log);
+$login = new CoreLibs\ACL\Login($db, $log, $session);
+$locale = \CoreLibs\Language\GetLocale::setLocale();
+$l10n = new \CoreLibs\Language\L10n(
+	$locale['locale'],
+	$locale['domain'],
+	$locale['path'],
+);
+
+print "<!DOCTYPE html>";
+print "<html><head><title>GROUP TESTER</title><head>";
+print "<body>";
+
+print '<form method="post" name="loginlogout">';
+print '<a href="javascript:document.loginlogout.login_logout.value=\'Logou\';'
+	. 'document.loginlogout.submit();">Logout</a>';
+print '<input type="hidden" name="login_logout" value="">';
+print '</form>';
+
+print "<h1>TEST Login</h1>";
+
+print "</body></html>";
+
+// __END__

www/includes/edit_base.php

@@ -397,10 +397,18 @@ if ($form->my_page_name == 'edit_order') {
 				$elements[] = $form->formCreateElement('login_error_date_last');
 				$elements[] = $form->formCreateElement('login_error_date_first');
 				$elements[] = $form->formCreateElement('enabled');
+				$elements[] = $form->formCreateElement('deleted');
 				$elements[] = $form->formCreateElement('protected');
 				$elements[] = $form->formCreateElement('username');
 				$elements[] = $form->formCreateElement('password');
 				$elements[] = $form->formCreateElement('password_change_interval');
+				$elements[] = $form->formCreateElement('login_user_id');
+				$elements[] = $form->formCreateElement('login_user_id_set_date');
+				$elements[] = $form->formCreateElement('login_user_id_last_revalidate');
+				$elements[] = $form->formCreateElement('login_user_id_locked');
+				$elements[] = $form->formCreateElement('login_user_id_revalidate_after');
+				$elements[] = $form->formCreateElement('login_user_id_valid_from');
+				$elements[] = $form->formCreateElement('login_user_id_valid_until');
 				$elements[] = $form->formCreateElement('email');
 				$elements[] = $form->formCreateElement('last_name');
 				$elements[] = $form->formCreateElement('first_name');
@@ -408,6 +416,8 @@ if ($form->my_page_name == 'edit_order') {
 				$elements[] = $form->formCreateElement('edit_access_right_id');
 				$elements[] = $form->formCreateElement('strict');
 				$elements[] = $form->formCreateElement('locked');
+				$elements[] = $form->formCreateElement('lock_until');
+				$elements[] = $form->formCreateElement('lock_after');
 				$elements[] = $form->formCreateElement('admin');
 				$elements[] = $form->formCreateElement('debug');
 				$elements[] = $form->formCreateElement('db_debug');

www/includes/table_arrays/array_edit_users.php

@@ -53,6 +53,16 @@ $edit_users = [
 				'0' => 'No'
 			],
 		],
+		'deleted' => [
+			'value' => $GLOBALS['deleted'] ?? '',
+			'output_name' => 'Deleted',
+			'type' => 'binary',
+			'int' => 1,
+			'element_list' => [
+				'1' => 'Yes',
+				'0' => 'No'
+			],
+		],
 		'strict' => [
 			'value' => $GLOBALS['strict'] ?? '',
 			'output_name' => 'Strict (Lock after errors)',
@@ -119,6 +129,77 @@ $edit_users = [
 			'output_name' => 'First Name',
 			'type' => 'text'
 		],
+		'lock_until' => [
+			'value' => $GLOBALS['lock_until'] ?? '',
+			'output_name' => 'Lock account until',
+			'type' => 'datetime',
+			'error_check' => 'datetime',
+			'sql_read' => 'YYYY-MM-DD HH24:MI',
+			'datetime' => 1,
+		],
+		'lock_after' => [
+			'value' => $GLOBALS['lock_after'] ?? '',
+			'output_name' => 'Lock account after',
+			'type' => 'datetime',
+			'error_check' => 'datetime',
+			'sql_read' => 'YYYY-MM-DD HH24:MI',
+			'datetime' => 1,
+		],
+		'login_user_id' => [
+			'value' => $GLOBALS['login_user_id'] ?? '',
+			'output_name' => '_GET/_POST loginUserId direct login ID',
+			'type' => 'text',
+			'error_check' => 'unique|custom',
+			'error_regex' => "/^[A-Za-z0-9]+$/",
+			'emptynull' => 1,
+		],
+		'login_user_id_set_date' => [
+			'output_name' => 'loginUserId set date',
+			'value' => $GLOBALS['login_user_id_set_date'] ?? '',
+			'type' => 'view',
+			'empty' => '-'
+		],
+		'login_user_id_last_revalidate' => [
+			'output_name' => 'loginUserId last revalidate date',
+			'value' => $GLOBALS['login_user_id_last_revalidate'] ?? '',
+			'type' => 'view',
+			'empty' => '-'
+		],
+		'login_user_id_locked' => [
+			'value' => $GLOBALS['login_user_id_locked'] ?? '',
+			'output_name' => 'loginUserId usage locked',
+			'type' => 'binary',
+			'int' => 1,
+			'element_list' => [
+				'1' => 'Yes',
+				'0' => 'No'
+			],
+		],
+		'login_user_id_revalidate_after' => [
+			'value' => $GLOBALS['login_user_id_revalidate_after'] ?? '',
+			'output_name' => 'loginUserId, User must login after n days',
+			'type' => 'text',
+			'error_check' => 'intervalshort',
+			'interval' => 1, // interval needs NULL write for empty
+			'size' => 5, // make it 5 chars long
+			'length' => 5
+		],
+		'login_user_id_valid_from' => [
+			'value' => $GLOBALS['login_user_id_valid_from'] ?? '',
+			'output_name' => 'loginUserId valid from',
+			'type' => 'datetime',
+			'error_check' => 'datetime',
+			'sql_read' => 'YYYY-MM-DD HH24:MI',
+			'datetime' => 1,
+		],
+		'login_user_id_valid_until' => [
+			'value' => $GLOBALS['login_user_id_valid_until'] ?? '',
+			'output_name' => 'loginUserId valid until',
+			'type' => 'datetime',
+			'error_check' => 'datetime',
+			'sql_read' => 'YYYY-MM-DD HH24:MI',
+			'datetime' => 1,
+		],
 		'edit_language_id' => [
 			'value' => $GLOBALS['edit_language_id'] ?? '',
 			'output_name' => 'Language',
@@ -187,7 +268,8 @@ $edit_users = [
 			'cols' => 60
 		],
 	],
-	'load_query' => "SELECT edit_user_id, username, enabled, debug, db_debug, strict, locked, login_error_count "
+	'load_query' => "SELECT edit_user_id, username, enabled, deleted, "
+		. "strict, locked, login_error_count "
 		. "FROM edit_user ORDER BY username",
 	'table_name' => 'edit_user',
 	'show_fields' => [
@@ -197,31 +279,26 @@ $edit_users = [
 		[
 			'name' => 'enabled',
 			'binary' => ['Yes', 'No'],
-			'before_value' => 'Enabled: '
+			'before_value' => 'ENBL: '
 		],
 		[
-			'name' => 'debug',
+			'name' => 'deleted',
 			'binary' => ['Yes', 'No'],
-			'before_value' => 'Debug: '
+			'before_value' => 'DEL: '
-		],
-		[
-			'name' => 'db_debug',
-			'binary' => ['Yes', 'No'],
-			'before_value' => 'DB Debug: '
 		],
 		[
 			'name' => 'strict',
 			'binary' => ['Yes', 'No'],
-			'before_value' => 'Strict: '
+			'before_value' => 'STRC: '
 		],
 		[
 			'name' => 'locked',
 			'binary' => ['Yes', 'No'],
-			'before_value' => 'Locked: '
+			'before_value' => 'LCK: '
 		],
 		[
 			'name' => 'login_error_count',
-			'before_value' => 'Errors: '
+			'before_value' => 'ERR: '
 		],
 	],
 	'element_list' => [

www/includes/templates/admin/edit_elements.tpl

@@ -32,7 +32,10 @@
 			<input type="hidden" name="HIDDEN_{$element.data.name}" value="{$element.data.HIDDEN_value}">
 		{/if}
 		{if $element.type == 'date'}
-			<input type="text" name="{$element.data.name}" value="{$element.data.value}" size="10" maxlength="10">
+			<input type="text" name="{$element.data.name}" value="{$element.data.value}" size="10" maxlength="10" placeholder="YYYY-MM-DD">
+		{/if}
+		{if $element.type == 'datetime'}
+			<input type="text" name="{$element.data.name}" value="{$element.data.value}" size="16" maxlength="16" placeholder="YYYY-MM-DD HH:mm">
 		{/if}
 		{if $element.type == 'textarea'}
 			<textarea name="{$element.data.name}"{if $element.data.rows} rows="{$element.data.rows}"{/if}{if $element.data.cols} cols="{$element.data.cols}"{/if}>{$element.data.value}</textarea>

www/lib/CoreLibs/ACL/Login.php

@@ -72,30 +72,36 @@ use CoreLibs\Check\Password;
 
 class Login
 {
-	/** @var string */
+	/** @var string the user id var*/
-	private $euid; // the user id var
+	private $euid;
+	/** @var string _GET/_POST loginUserId parameter for non password login */
+	private $login_user_id = '';
+	/** @var string source, either _GET or _POST or empty */
+	private $login_user_id_source = '';
+	/** @var bool set to true if illegal characters where found in the login user id string */
+	private $login_unclear = false;
 	// is set to one if login okay, or EUID is set and user is okay to access this page
 	/** @var bool */
 	private $permission_okay = false;
-	/** @var string */
+	/** @var string pressed login */
-	public $login; // pressed login
+	public $login;
-	/** @var string */
+	/** @var string master action command */
-	private $action; // master action command
+	private $action;
-	/** @var string */
+	/** @var string login name */
-	private $username; // login name
+	private $username;
-	/** @var string */
+	/** @var string login password */
-	private $password; // login password
+	private $password;
-	/** @var string */
+	/** @var string logout button */
-	private $logout; // logout button
+	private $logout;
-	/** @var bool */
+	/** @var bool if this is set to true, the user can change passwords */
-	private $password_change = false; // if this is set to true, the user can change passwords
+	private $password_change = false;
-	/** @var bool */
+	/** @var bool password change was successful */
-	private $password_change_ok = false; // password change was successful
+	private $password_change_ok = false;
 	// can we reset password and mail to user with new password set screen
 	/** @var bool */
 	private $password_forgot = false;
-	/** @var bool */
+	/** @var bool password forgot mail send ok */
-	// private $password_forgot_ok = false; // password forgot mail send ok
+	// private $password_forgot_ok = false;
 	/** @var string */
 	private $change_password;
 	/** @var string */
@@ -106,8 +112,8 @@ class Login
 	private $pw_new_password;
 	/** @var string */
 	private $pw_new_password_confirm;
-	/** @var array<string> */
+	/** @var array<string> array of users for which the password change is forbidden */
-	private $pw_change_deny_users = []; // array of users for which the password change is forbidden
+	private $pw_change_deny_users = [];
 	/** @var string */
 	private $logout_target = '';
 	/** @var int */
@@ -117,8 +123,7 @@ class Login
 	/** @var string */
 	private $page_name = '';
 
-	// if we have password change we need to define some rules
+	/** @var int if we have password change we need to define some rules */
-	/** @var int */
 	private $password_min_length = 9;
 	/** @var int an true maxium min, can never be set below this */
 	private $password_min_length_max = 9;
@@ -126,8 +131,7 @@ class Login
 	// it will be set back to 255
 	/** @var int */
 	private $password_max_length = 255;
-	// can have several regexes, if nothing set, all is ok
+	/** @var array<string> can have several regexes, if nothing set, all is ok */
-	/** @var array<string> */
 	private $password_valid_chars = [
 		// '^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]{8,}$',
 		// '^(?.*(\pL)u)(?=.*(\pN)u)(?=.*([^\pL\pN])u).{8,}',
@@ -234,6 +238,14 @@ class Login
 				'msg' => 'Login Failed - Wrong Username or Password',
 				'flag' => 'e'
 			],
+			'1101' => [
+				'msg' => 'Login Failed - Login User ID must be validated',
+				'flag' => 'e'
+			],
+			'1102' => [
+				'msg' => 'Login Failed - Login User ID is outside valid date range',
+				'flag' => 'e'
+			],
 			'102' => [
 				'msg' => 'Login Failed - Please enter username and password',
 				'flag' => 'e'
@@ -250,6 +262,18 @@ class Login
 				'msg' => 'Login Failed - User is locked',
 				'flag' => 'e'
 			],
+			'106' => [
+				'msg' => 'Login Failed - User is deleted',
+				'flag' => 'e'
+			],
+			'107' => [
+				'msg' => 'Login Failed - User in locked via date period',
+				'flag' => 'e'
+			],
+			'108' => [
+				'msg' => 'Login Failed - User is locked via Login User ID',
+				'flag' => 'e'
+			],
 			'109' => [
 				'msg' => 'Check permission query reading failed',
 				'flag' => 'e'
@@ -360,6 +384,47 @@ class Login
 	// **** PRIVATE INTERNAL
 	// *************************************************************************
 
+	/**
+	 * Checks for all flags and sets error codes for each
+	 * In order:
+	 * delete > enable > lock > period lock > login user id lock
+	 *
+	 * @param  int  $deleted              User deleted check
+	 * @param  int  $enabled              User not enabled check
+	 * @param  int  $locked               Locked because of too many invalid passwords
+	 * @param  int  $locked_period        Locked because of time period set
+	 * @param  int  $login_user_id_locked Locked from using Login User Id
+	 * @return bool
+	 */
+	private function loginValidationCheck(
+		int $deleted,
+		int $enabled,
+		int $locked,
+		int $locked_period,
+		int $login_user_id_locked
+	): bool {
+		$validation = false;
+		if ($deleted) {
+			// user is deleted
+			$this->login_error = 106;
+		} elseif (!$enabled) {
+			// user is not  enabled
+			$this->login_error = 104;
+		} elseif ($locked) {
+			// user is locked, either set or auto set
+			$this->login_error = 105;
+		} elseif ($locked_period) {
+			// locked date trigger
+			$this->login_error = 107;
+		} elseif ($login_user_id_locked) {
+			// user is locked, either set or auto set
+			$this->login_error = 108;
+		} else {
+			$validation = true;
+		}
+		return $validation;
+	}
+
 	/**
 	 * checks if password is valid, sets internal error login variable
 	 *
@@ -393,7 +458,6 @@ class Login
 		) {
 			// this means password cannot be decrypted because of missing crypt methods
 			$this->login_error = 9999;
-			$password_ok = false;
 		} elseif (
 			preg_match("/^\\$2y\\$/", $hash) &&
 			!Password::passwordVerify($password, $hash)
@@ -401,7 +465,6 @@ class Login
 			// this is the new password hash method, is only $2y$
 			// all others are not valid anymore
 			$this->login_error = 1013;
-			$password_ok = false;
 		} elseif (
 			!preg_match("/^\\$2(a|y)\\$/", $hash) &&
 			!preg_match("/^\\$1\\$/", $hash) &&
@@ -410,7 +473,6 @@ class Login
 		) {
 			// check old plain password, case sensitive
 			$this->login_error = 1012;
-			$password_ok = false;
 		} else {
 			// all ok
 			$password_ok = true;
@@ -418,6 +480,28 @@ class Login
 		return $password_ok;
 	}
 
+	/**
+	 * Check if Login User ID is allowed to login
+	 *
+	 * @param  int  $login_user_id_valid_date
+	 * @param  int  $login_user_id_revalidate
+	 * @return bool
+	 */
+	private function loginLoginUserIdCheck(
+		int $login_user_id_valid_date,
+		int $login_user_id_revalidate
+	): bool {
+		$login_id_ok = false;
+		if ($login_user_id_revalidate) {
+			$this->login_error = 1101;
+		} elseif (!$login_user_id_valid_date) {
+			$this->login_error = 1102;
+		} else {
+			$login_id_ok = true;
+		}
+		return $login_id_ok;
+	}
+
 	/**
 	 * if user pressed login button this script is called,
 	 * but only if there is no preview euid set
@@ -427,11 +511,12 @@ class Login
 	private function loginLoginUser(): void
 	{
 		// if pressed login at least and is not yet loggined in
-		if ($this->euid || !$this->login) {
+		if ($this->euid || (!$this->login && !$this->login_user_id)) {
 			return;
 		}
 		// if not username AND password where given
-		if (!($this->password && $this->username)) {
+		// OR no login_user_id
+		if (!($this->username && $this->password) && !$this->login_user_id) {
 			$this->login_error = 102;
 			$this->permission_okay = false;
 			return;
@@ -441,12 +526,42 @@ class Login
 		$q = "SELECT eu.edit_user_id, eu.username, eu.password, "
 			. "eu.edit_group_id, "
 			. "eg.name AS edit_group_name, admin, "
+			// login error + locked
 			. "eu.login_error_count, eu.login_error_date_last, "
 			. "eu.login_error_date_first, eu.strict, eu.locked, "
+			// date based lock
+			. "CASE WHEN ("
+			. "(eu.lock_until IS NULL "
+			. "OR (eu.lock_until IS NOT NULL AND NOW() >= eu.lock_until)) "
+			. "AND (eu.lock_after IS NULL "
+			. "OR (eu.lock_after IS NOT NULL AND NOW() <= eu.lock_after))"
+			. ") THEN 0::INT ELSE 1::INT END locked_period, "
+			// debug (legacy)
 			. "eu.debug, eu.db_debug, "
+			// enabled
+			. "eu.enabled, eu.deleted, "
+			// for checks only
+			. "eu.login_user_id, "
+			// login id validation
+			. "CASE WHEN ("
+			. "(eu.login_user_id_valid_from IS NULL "
+			. "OR (eu.login_user_id_valid_from IS NOT NULL AND NOW() >= eu.login_user_id_valid_from)) "
+			. "AND (eu.login_user_id_valid_until IS NULL "
+			. "OR (eu.login_user_id_valid_until IS NOT NULL AND NOW() <= eu.login_user_id_valid_until))"
+			. ") THEN 1::INT ELSE 0::INT END AS login_user_id_valid_date, "
+			// check if user must login
+			. "CASE WHEN eu.login_user_id_revalidate_after IS NOT NULL "
+			. "AND eu.login_user_id_revalidate_after > '0 days'::INTERVAL "
+			. "AND (eu.login_user_id_last_revalidate + eu.login_user_id_revalidate_after)::DATE "
+			. "<= NOW()::DATE "
+			.  "THEN 1::INT ELSE 0::INT END AS login_user_id_revalidate, "
+			. "eu.login_user_id_locked, "
+			// language
+			. "el.short_name AS locale, el.iso_name AS encoding, "
+			//  levels
 			. "eareu.level AS user_level, eareu.type AS user_type, "
 			. "eareg.level AS group_level, eareg.type AS group_type, "
-			. "eu.enabled, el.short_name AS locale, el.iso_name AS encoding, "
+			// colors
 			. "first.header_color AS first_header_color, "
 			. "second.header_color AS second_header_color, second.template "
 			. "FROM edit_user eu "
@@ -458,11 +573,17 @@ class Login
 			. "edit_scheme first "
 			. "WHERE first.edit_scheme_id = eg.edit_scheme_id "
 			. "AND eu.edit_group_id = eg.edit_group_id "
-			. "AND eu.edit_language_id = el.edit_language_id AND "
+			. "AND eu.edit_language_id = el.edit_language_id "
-			. "eu.edit_access_right_id = eareu.edit_access_right_id AND "
+			. "AND eu.edit_access_right_id = eareu.edit_access_right_id "
-			. "eg.edit_access_right_id = eareg.edit_access_right_id AND "
+			. "AND eg.edit_access_right_id = eareg.edit_access_right_id "
-			// password match is done in script, against old plain or new blowfish encypted
+			. "AND "
-			. "(LOWER(username) = '" . $this->db->dbEscapeString(strtolower($this->username)) . "') ";
+			// either login_user_id OR password must be given
+			. (!empty($this->login_user_id && empty($this->username)) ?
+				// check with login id if set and NO username
+				"eu.login_user_id = " . $this->db->dbEscapeLiteral($this->login_user_id) . " " :
+				// password match is done in script, against old plain or new blowfish encypted
+				"LOWER(username) = " . $this->db->dbEscapeLiteral(strtolower($this->username)) . " "
+			);
 		// reset any query data that might exist
 		$this->db->dbCacheReset($q);
 		// never cache return data
@@ -488,17 +609,34 @@ class Login
 		// - password is readable
 		// - encrypted password matches
 		// - plain password matches
-
+		if (
-		if (!$res['enabled']) {
+			!$this->loginValidationCheck(
-			// user is enabled
+				(int)$res['deleted'],
-			$this->login_error = 104;
+				(int)$res['enabled'],
-		} elseif ($res['locked']) {
+				(int)$res['locked'],
-			// user is locked, either set or auto set
+				(int)$res['locked_period'],
-			$this->login_error = 105;
+				(int)$res['login_user_id_locked']
-		} elseif (!$this->loginPasswordCheck($res['password'])) {
+			)
+		) {
+			// error set in method (104, 105, 106, 107, 108)
+		} elseif (
+			empty($this->username) &&
+			!empty($this->login_user_id) &&
+			!$this->loginLoginUserIdCheck(
+				(int)$res['login_user_id_valid_date'],
+				(int)$res['login_user_id_revalidate']
+			)
+		) {
+			// check done in loginLoginIdCheck method
+			// aborts on must revalidate and not valid (date range)
+		} elseif (
+			!empty($this->username) &&
+			!$this->loginPasswordCheck($res['password'])
+		) {
 			// none to be set, set in login password check
 			// this is not valid password input error here
 			// all error codes are set in loginPasswordCheck method
+			// also valid if login_user_id is ok
 		} else {
 			// check if the current password is an invalid hash and do a rehash and set password
 			// $this->debug('LOGIN', 'Hash: '.$res['password'].' -> VERIFY: '
@@ -517,6 +655,15 @@ class Login
 			// check if user is okay
 			$this->loginCheckPermissions();
 			if ($this->login_error == 0) {
+				if (
+					!empty($res['login_user_id']) &&
+					!empty($this->username) && !empty($this->password)
+				) {
+					$q = "UPDATE edit_user SET "
+						. "login_user_id_last_revalidate = NOW() "
+						. "WHERE edit_user_id = " . $this->euid;
+					$this->db->dbExec($q);
+				}
 				// now set all session vars and read page permissions
 				$_SESSION['DEBUG_ALL'] = $this->db->dbBoolean($res['debug']);
 				$_SESSION['DB_DEBUG'] = $this->db->dbBoolean($res['db_debug']);
@@ -1396,6 +1543,34 @@ EOM;
 			$this->login_is_ajax_page = true;
 		}
 
+		// attach outside uid for login post > get > empty
+		$this->login_user_id = $_POST['loginUserId'] ?? $_GET['loginUserId'] ?? '';
+		// cleanup only alphanumeric
+		if (!empty($this->login_user_id)) {
+			// set post/get only if actually set
+			if (isset($_POST['loginUserId'])) {
+				$this->login_user_id_source = 'POST';
+			} elseif (isset($_GET['loginUserId'])) {
+				$this->login_user_id_source = 'GET';
+			}
+			// clean login user id
+			$login_user_id_changed = 0;
+			$this->login_user_id = preg_replace(
+				"/[^A-Za-z0-9]/",
+				'',
+				$this->login_user_id,
+				-1,
+				$login_user_id_changed
+			);
+			// flag unclean input data
+			if ($login_user_id_changed > 0) {
+				$this->login_unclear = true;
+				// error for invalid user id?
+				$this->log->debug('LOGIN USER ID', 'Invalid characters: '
+					. $login_user_id_changed . ' in loginUserId: '
+					. $this->login_user_id . ' (' . $this->login_user_id_source . ')');
+			}
+		}
 		// if there is none, there is none, saves me POST/GET check
 		$this->euid = array_key_exists('EUID', $_SESSION) ? $_SESSION['EUID'] : 0;
 		// get login vars, are so, can't be changed
@@ -1706,8 +1881,31 @@ EOM;
 		if ($this->login_error == 103) {
 			return $this->permission_okay;
 		}
-		// if ($this->euid && $this->login_error != 103) {
+		$q = "SELECT ep.filename, "
-		$q = "SELECT ep.filename "
+			// base lock flags
+			. "eu.deleted, eu.enabled, eu.locked, "
+			// date based lock
+			. "CASE WHEN ("
+			. "(eu.lock_until IS NULL "
+			. "OR (eu.lock_until IS NOT NULL AND NOW() >= eu.lock_until)) "
+			. "AND (eu.lock_after IS NULL "
+			. "OR (eu.lock_after IS NOT NULL AND NOW() <= eu.lock_after))"
+			. ") THEN 0::INT ELSE 1::INT END locked_period, "
+			// login id validation
+			. "login_user_id, "
+			. "CASE WHEN ("
+			. "(eu.login_user_id_valid_from IS NULL "
+			. "OR (eu.login_user_id_valid_from IS NOT NULL AND NOW() >= eu.login_user_id_valid_from)) "
+			. "AND (eu.login_user_id_valid_until IS NULL "
+			. "OR (eu.login_user_id_valid_until IS NOT NULL AND NOW() <= eu.login_user_id_valid_until))"
+			. ") THEN 1::INT ELSE 0::INT END AS login_user_id_valid_date, "
+			// check if user must login
+			. "CASE WHEN eu.login_user_id_revalidate_after IS NOT NULL "
+			. "AND eu.login_user_id_revalidate_after > '0 days'::INTERVAL "
+			. "AND eu.login_user_id_last_revalidate + eu.login_user_id_revalidate_after <= NOW()::DATE "
+			.  "THEN 1::INT ELSE 0::INT END AS login_user_id_revalidate, "
+			. "eu.login_user_id_locked "
+			//
 			. "FROM edit_page ep, edit_page_access epa, edit_group eg, edit_user eu "
 			. "WHERE ep.edit_page_id = epa.edit_page_id "
 			. "AND eg.edit_group_id = epa.edit_group_id "
@@ -1720,6 +1918,30 @@ EOM;
 			$this->login_error = 109;
 			return $this->permission_okay;
 		}
+		if (
+			!$this->loginValidationCheck(
+				(int)$res['deleted'],
+				(int)$res['enabled'],
+				(int)$res['locked'],
+				(int)$res['locked_period'],
+				(int)$res['login_user_id_locked']
+			)
+		) {
+			// errors set in method
+			return $this->permission_okay;
+		}
+		// if login user id parameter and no username, check period here
+		if (
+			empty($this->username) &&
+			!empty($this->login_user_id) &&
+			!$this->loginLoginUserIdCheck(
+				(int)$res['login_user_id_valid_date'],
+				(int)$res['login_user_id_revalidate']
+			)
+		) {
+			// errors set in method
+			return $this->permission_okay;
+		}
 		if (isset($res['filename']) && $res['filename'] == $this->page_name) {
 			$this->permission_okay = true;
 		} else {
@@ -1917,6 +2139,37 @@ EOM;
 		return false;
 	}
 
+	/**
+	 * Returns current set loginUserId or empty if unset
+	 *
+	 * @return string loginUserId or empty string for not set
+	 */
+	public function loginGetLoginUserId(): string
+	{
+		return $this->login_user_id;
+	}
+
+	/**
+	 * Returns GET/POST for where the loginUserId was set
+	 *
+	 * @return string GET or POST or empty string for not set
+	 */
+	public function loginGetLoginUserIdSource(): string
+	{
+		return $this->login_user_id_source;
+	}
+
+	/**
+	 * Returns unclear login user id state. If true then illegal characters
+	 * where present in the loginUserId parameter
+	 *
+	 * @return bool False for clear, True if illegal characters found
+	 */
+	public function loginGetLoginUserIdUnclean(): bool
+	{
+		return $this->login_unclear;
+	}
+
 	/**
 	 * old name for loginGetEditAccessData
 	 *

www/lib/CoreLibs/DB/Extended/ArrayIO.php

@@ -177,7 +177,7 @@ class ArrayIO extends \CoreLibs\DB\IO
 	public function dbResetArray($reset_pk = false): void
 	{
 		reset($this->table_array);
-		foreach ($this->table_array as $column => $data_array) {
+		foreach (array_keys($this->table_array) as $column) {
 			if (!$this->table_array[$column]['pk']) {
 				unset($this->table_array[$column]['value']);
 			} elseif ($reset_pk) {
@@ -208,7 +208,7 @@ class ArrayIO extends \CoreLibs\DB\IO
 		// delete files and build FK query
 		reset($this->table_array);
 		$q_where = '';
-		foreach ($this->table_array as $column => $data_array) {
+		foreach (array_keys($this->table_array) as $column) {
 			// suchen nach bildern und lschen ...
 			if (
 				!empty($this->table_array[$column]['file']) &&
@@ -271,11 +271,22 @@ class ArrayIO extends \CoreLibs\DB\IO
 			if ($q_select) {
 				$q_select .= ', ';
 			}
-			$q_select .= $column;
+			if (
+				!empty($data_array['type']) && $data_array['type'] == 'datetime' &&
+				!empty($data_array['sql_read'])
+			) {
+				// convert tom different timestamp type
+				$q_select .= "TO_CHAR($column, '" . $data_array['sql_read'] . "') AS $column";
+			} else {
+				$q_select .= $column;
+			}
 
 			// check FK ...
-			if (isset($this->table_array[$column]['fk']) && isset($this->table_array[$column]['value'])) {
+			if (
-				if ($q_where) {
+				isset($this->table_array[$column]['fk']) &&
+				isset($this->table_array[$column]['value'])
+			) {
+				if (!empty($q_where)) {
 					$q_where .= ' AND ';
 				}
 				$q_where .= $column .= ' = ' . $this->table_array[$column]['value'];
@@ -450,7 +461,12 @@ class ArrayIO extends \CoreLibs\DB\IO
 				} elseif (isset($this->table_array[$column]['bool'])) {
 					// boolean storeage (reverse check on ifset)
 					$q_data .= "'" . $this->dbBoolean($this->table_array[$column]['value'], true) . "'";
-				} elseif (isset($this->table_array[$column]['interval'])) {
+				} elseif (
+					isset($this->table_array[$column]['interval']) ||
+					isset($this->table_array[$column]['date']) ||
+					isset($this->table_array[$column]['datetime']) ||
+					isset($this->table_array[$column]['emptynull'])
+				) {
 					// for interval we check if no value, then we set null
 					if (
 						!isset($this->table_array[$column]['value']) ||
@@ -458,7 +474,7 @@ class ArrayIO extends \CoreLibs\DB\IO
 					) {
 						$_value = 'NULL';
 					} elseif (isset($this->table_array[$column]['value'])) {
-						$_value = $this->table_array[$column]['value'];
+						$_value = $this->dbEscapeLiteral($this->table_array[$column]['value']);
 					} else {
 						// fallback
 						$_value = 'NULL';
@@ -500,7 +516,10 @@ class ArrayIO extends \CoreLibs\DB\IO
 		// create select part & addition FK part
 		foreach ($this->table_array as $column => $data_array) {
 			// check FK ...
-			if (isset($this->table_array[$column]['fk']) && isset($this->table_array[$column]['value'])) {
+			if (
+				isset($this->table_array[$column]['fk']) &&
+				isset($this->table_array[$column]['value'])
+			) {
 				if (!empty($q_where)) {
 					$q_where .= ' AND ';
 				}
@@ -546,7 +565,6 @@ class ArrayIO extends \CoreLibs\DB\IO
 		}
 		// set primary key
 		if ($insert) {
-			// FIXME: this has to be fixes by fixing DB::IO clas
 			$insert_id = $this->dbGetInsertPK();
 			if (is_array($insert_id)) {
 				$insert_id = 0;

www/lib/CoreLibs/Output/Form/Generate.php

@@ -969,11 +969,13 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 		}
 		// date (YYYY-MM-DD)
 		if ($this->table_array[$element_name]['type'] == 'date') {
-			if (!$this->table_array[$element_name]['value']) {
-				$this->table_array[$element_name]['value'] = 'YYYY-MM-DD';
-			}
 			$data['name'] = $element_name;
-			$data['value'] = $this->table_array[$element_name]['value'];
+			$data['value'] = $this->table_array[$element_name]['value'] ?? '';
+		}
+		// date time (no sec) (YYYY-MM-DD HH:mm)
+		if ($this->table_array[$element_name]['type'] == 'datetime') {
+			$data['name'] = $element_name;
+			$data['value'] = $this->table_array[$element_name]['value'] ?? '';
 		}
 		// textarea
 		if ($this->table_array[$element_name]['type'] == 'textarea') {
@@ -1168,7 +1170,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 							if (!\CoreLibs\Combined\DateTime::checkDate($this->table_array[$key]['value'])) {
 								$this->msg .= sprintf(
 									$this->l->__(
-										'Please enter a vailid date (YYYY-MM-DD) for the <b>%s</b> Field!<br>'
+										'Please enter a valid date (YYYY-MM-DD) for the <b>%s</b> Field!<br>'
 									),
 									$this->table_array[$key]['output_name']
 								);
@@ -1178,17 +1180,30 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 							if (!\CoreLibs\Combined\DateTime::checkDateTime($this->table_array[$key]['value'])) {
 								$this->msg .= sprintf(
 									$this->l->__(
-										'Please enter a vailid time (HH:MM[:SS]) for the <b>%s</b> Field!<br>'
+										'Please enter a valid time (HH:mm[:SS]) for the <b>%s</b> Field!<br>'
 									),
 									$this->table_array[$key]['output_name']
 								);
 							}
 							break;
 						case 'datetime': // YYYY-MM-DD HH:MM[:SS]
-							// not implemented
+							if (!\CoreLibs\Combined\DateTime::checkDateTime($this->table_array[$key]['value'])) {
+								$this->msg .= sprintf(
+									$this->l->__(
+										'Please enter a valid date time (YYYY-MM-DD HH:mm) '
+											. 'for the <b>%s</b> Field!<br>'
+									),
+									$this->table_array[$key]['output_name']
+								);
+							}
 							break;
 						case 'intervalshort': // ony interval n [Y/M/D] only
-							if (preg_match("/^\d{1,3}\ ?[YMDymd]{1}$/", $this->table_array[$key]['value'])) {
+							if (
+								!preg_match(
+									"/^\d{1,3}\ ?([ymd]{1}|day(s)?|year(s)?|month(s)?)$/i",
+									$this->table_array[$key]['value']
+								)
+							) {
 								$this->msg .= sprintf(
 									$this->l->__(
 										'Please enter a valid time interval in the format '