Project

General

Profile

« Previous | Next » 

Revision e1faff49

Added by Jim Pingle over 1 year ago

Password management changes. Part of issue #15266

  • Add function to determine if a given password is valid for use.
  • Revise the self-service password change page to be more user-friendly
    and to handle password validation.
  • Leave room for Plus to utilize additional restrictions.

View differences:

src/etc/inc/auth.inc
646 646
	}
647 647
}
648 648

  
649
/* Determine if a given string is valid for use as a password.
650
 * Returns an array of messages describing the problems.
651
 */
652
function validate_password($username, $password) {
653
	$errors = [];
654

  
655
	/* Rules for CE and Plus */
656
	/* Disallow changing the password to the username. */
657
	if ($username == $password) {
658
		$errors[] = gettext("The password cannot be identical to the username.");
659
	}
660
	/* End rules for CE and Plus */
661

  
662
	/* Plus-specific rules */
663
	/* End Plus-specific rules */
664
	return $errors;
665
}
666

  
649 667
function local_user_set(& $user) {
650 668
	global $g, $debug;
651 669

  
src/usr/local/www/system_usermanager_passwordmg.php
35 35
$logging_level = LOG_WARNING;
36 36
$logging_prefix = gettext("Local User Database");
37 37

  
38
$pgtitle = array(gettext("System"), gettext("User Password"));
38
$pgtitle = array(gettext("System"), gettext("User Password Manager"));
39

  
40
$password_extra_help = sprintf(gettext('%1$sThe password cannot be identical to the username.'), '<br/>');
41

  
42
unset($input_errors);
43
$input_errors = [];
44

  
45
phpsession_begin();
46
$guiuser = getUserEntry($_SESSION['Username']);
47
$read_only = (is_array($guiuser) && userHasPrivilege($guiuser, "user-config-readonly"));
48
/* Determine if the current user authenticated locally */
49
$islocal = false;
50
foreach (config_get_path('system/user', []) as $user) {
51
	if ($user['name'] == $_SESSION['Username']) {
52
		$islocal = true;
53
	}
54
}
55
phpsession_end(true);
39 56

  
40 57
if (isset($_POST['save'])) {
41
	unset($input_errors);
42
	/* input validation */
58
	/* Input validation */
59
	if (!$islocal) {
60
		$input_errors[] = gettext("This page cannot change passwords for non-local users.");
61
	}
62
	if ($read_only) {
63
		$input_errors[] = gettext("The current user is read-only and cannot change the configuration.");
64
	}
43 65

  
44 66
	$reqdfields = explode(" ", "passwordfld1");
45 67
	$reqdfieldsn = array(gettext("Password"));
......
53 75
		$input_errors[] = gettext("Could not locate this user.");
54 76
	}
55 77

  
78
	$input_errors = array_merge($input_errors, validate_password($_SESSION['Username'], $_POST['passwordfld1']));
79

  
56 80
	if (!$input_errors) {
57 81
		phpsession_begin();
58
		// all values are okay --> saving changes
82
		// Save changes to the current user
59 83
		$userent =& $config['system']['user'][$userindex[$_SESSION['Username']]];
60 84
		local_user_set_password($userent, $_POST['passwordfld1']);
61 85
		local_user_set($userent);
......
68 92
	}
69 93
}
70 94

  
71
phpsession_begin();
72

  
73
/* determine if user is not local to system */
74
$islocal = false;
75
foreach (config_get_path('system/user', []) as $user) {
76
	if ($user['name'] == $_SESSION['Username']) {
77
		$islocal = true;
78
	}
79
}
80

  
81
phpsession_end(true);
82

  
83 95
include("head.inc");
84 96

  
85 97
if ($input_errors) {
86 98
	print_input_errors($input_errors);
87 99
}
88 100

  
101
if (!$islocal) {
102
	print_info_box(gettext("This page cannot change passwords for non-local users."), 'danger');
103
}
104
if ($read_only) {
105
	print_info_box(gettext("The current user is read-only and cannot change the configuration."), 'danger');
106
}
107

  
89 108
if ($savemsg) {
90 109
	print_info_box($savemsg, 'success');
91 110
}
92 111

  
93 112
$tab_array = array();
94
$tab_array[] = array(gettext("User Password"), true, "system_usermanager_passwordmg.php");
113
$tab_array[] = array(gettext("Change Password"), true, "system_usermanager_passwordmg.php");
95 114
$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
96 115
$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
97 116
$tab_array[] = array(gettext("Authentication Servers"), false, "system_authservers.php");
98 117
display_top_tabs($tab_array);
99 118

  
100
if ($islocal == false) {
101
	echo gettext("The password cannot be changed for a non-local user.");
102
	include("foot.inc");
103
	exit;
104
}
105

  
106 119
$form = new Form();
107 120

  
108
$section = new Form_Section('Update Password');
121
$section = new Form_Section('Change Password');
109 122

  
110
$section->addInput(new Form_Input(
111
	'passwordfld1',
112
	'*Password',
113
	'password',
114
	null,
115
	['autocomplete' => 'new-password']
123
$section->addInput(new Form_StaticText(
124
	'',
125
	'This page changes the password for the current user in the local configuration. ' .
126
	'This affects all services which utilize the Local Authentication database ' .
127
	'(User Manager).' .
128
	'<br/><br/>' .
129
	'This page cannot change passwords for users from other authentication ' .
130
	'sources such as LDAP or RADIUS.'
116 131
));
117 132

  
118
$section->addInput(new Form_Input(
119
	'passwordfld2',
120
	'*Confirmation',
121
	'password',
122
	null,
123
	['autocomplete' => 'new-password']
124
))->setHelp('Select a new password');
133
/* Only display password change fields for local users. */
134
if ($islocal &&
135
    !$read_only) {
136
	$section->addInput(new Form_StaticText(
137
		'Database',
138
		'Local Authentication'
139
	));
140

  
141
	$section->addInput(new Form_StaticText(
142
		'Username',
143
		$_SESSION['Username']
144
	));
145

  
146
	$section->addInput(new Form_Input(
147
		'passwordfld1',
148
		'*Password',
149
		'password',
150
		null,
151
		['autocomplete' => 'new-password']
152
	))->setHelp('Enter a new password.' .
153
			'%1$s%1$s' .
154
			'Hints:%1$s' .
155
			'Current NIST guidelines prioritize password length over complexity.' .
156
			' %2$s', '<br/>', $password_extra_help);
157

  
158
	$section->addInput(new Form_Input(
159
		'passwordfld2',
160
		'*Confirmation',
161
		'password',
162
		null,
163
		['autocomplete' => 'new-password']
164
	))->setHelp('Type the new password again for confirmation.');
165
}
125 166

  
126 167
$form->add($section);
127 168
print($form);

Also available in: Unified diff