Add safeties to avoid password recovery being turned on at all with zero
profile fields selected, to avoid confusion. Update some documentation.
This commit is contained in:
Drake
parent
c909ac9740
commit
574b0313c3
4 changed files with 46 additions and 16 deletions
|
|
@ -14,15 +14,18 @@ save you many hours of grief.
|
|||
running the entire test suite prior to SVN commits easier to do
|
||||
since it won't take so long.
|
||||
|
||||
* Password recovery has been redone. It is now based on profile fields
|
||||
* Password recovery has been redone, and is now based on profile fields
|
||||
rather than email access. Since there's no real way to migrate the
|
||||
latter to one to the other, this upgrade disables password recovery;
|
||||
before enabling it again, use the profile fields editor to set certain
|
||||
fields as required for password recovery. Then any user who enters all
|
||||
of those fields correctly can recover their password. The template
|
||||
variables are also different, so if you have a custom password recovery
|
||||
template, you will have to update it. See the new default password
|
||||
recovery template for an example of how to use the new variables.
|
||||
one to the other, this upgrade _disables password recovery_. The template
|
||||
variables for password recovery are also different, so if
|
||||
you have a custom template, you will have to update it.
|
||||
|
||||
To enable password recovery, you must first pick a set of profile fields
|
||||
to use such that any user who knows that set of fields can reset their
|
||||
password based on those. Edit each of those profile fields to turn the
|
||||
"Required for password recovery?" flag on; then you will be able to
|
||||
enable password recovery. It is highly advisable to pick several fields,
|
||||
as one field only is very easy to break.
|
||||
|
||||
7.2.0
|
||||
--------------------------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -423,14 +423,16 @@ sub editUserSettingsForm {
|
|||
-label=>$i18n->get(18)
|
||||
);
|
||||
$f->yesNo(
|
||||
-name=>"webguiPasswordRecovery",
|
||||
-value=>$self->session->setting->get("webguiPasswordRecovery"),
|
||||
-label=>$i18n->get(6)
|
||||
-name => "webguiPasswordRecovery",
|
||||
-value => $self->session->setting->get("webguiPasswordRecovery"),
|
||||
-label => $i18n->get(6),
|
||||
-hoverHelp => $i18n->get('webguiPasswordRecovery hoverHelp')
|
||||
);
|
||||
$f->yesNo(
|
||||
-name=>"webguiPasswordRecoveryRequireUsername",
|
||||
-value=>$self->session->setting->get("webguiPasswordRecoveryRequireUsername"),
|
||||
-label=>$i18n->get('require username for password recovery')
|
||||
-name => "webguiPasswordRecoveryRequireUsername",
|
||||
-value => $self->session->setting->get("webguiPasswordRecoveryRequireUsername"),
|
||||
-label => $i18n->get('require username for password recovery'),
|
||||
-hoverHelp => $i18n->get('webguiPasswordRecoveryRequireUsername hoverHelp')
|
||||
);
|
||||
$f->yesNo(
|
||||
-name=>"webguiValidateEmail",
|
||||
|
|
@ -490,7 +492,11 @@ sub editUserSettingsFormSave {
|
|||
$s->set("webguiWelcomeMessage", $f->process("webguiWelcomeMessage","textarea"));
|
||||
$s->set("webguiChangeUsername", $f->process("webguiChangeUsername","yesNo"));
|
||||
$s->set("webguiChangePassword", $f->process("webguiChangePassword","yesNo"));
|
||||
$s->set("webguiPasswordRecovery", $f->process("webguiPasswordRecovery","yesNo"));
|
||||
|
||||
# Special case to make sure we have at least one field enabled before allowing
|
||||
# password recovery to be turned on.
|
||||
$s->set("webguiPasswordRecovery", $f->process("webguiPasswordRecovery","yesNo") && ($self->session->db->quickArray("SELECT COUNT(*) FROM userProfileField WHERE requiredForPasswordRecovery = 1"))[0] > 0);
|
||||
|
||||
$s->set("webguiPasswordRecoveryRequireUsername", $f->process("webguiPasswordRecoveryRequireUsername","yesNo"));
|
||||
$s->set("webguiValidateEmail", $f->process("webguiValidateEmail","yesNo"));
|
||||
$s->set("webguiUseCaptcha", $f->process("webguiUseCaptcha","yesNo"));
|
||||
|
|
|
|||
|
|
@ -343,13 +343,24 @@ Returns the user to www_editProfileSettings when done.
|
|||
sub www_editProfileFieldSave {
|
||||
my $session = shift;
|
||||
return $session->privilege->adminOnly() unless ($session->user->isInGroup(3));
|
||||
|
||||
# Special case for WebGUI auth password recovery.
|
||||
my $requiredForPasswordRecovery = $session->form->yesNo('requiredForPasswordRecovery');
|
||||
if ($session->setting->get('authMethod') eq 'WebGUI'
|
||||
and $session->setting->get('webguiPasswordRecovery')
|
||||
and not $requiredForPasswordRecovery
|
||||
and ($session->db->quickArray("SELECT COUNT(*) FROM userProfileField WHERE requiredForPasswordRecovery = 1"))[0] == 1) {
|
||||
# We'd be turning off the only one. Don't do it.
|
||||
$requiredForPasswordRecovery = 1;
|
||||
}
|
||||
|
||||
my %data = (
|
||||
label=>$session->form->text("label"),
|
||||
editable=>$session->form->yesNo("editable"),
|
||||
visible=>$session->form->yesNo("visible"),
|
||||
required=>$session->form->yesNo("required"),
|
||||
showAtRegistration=>$session->form->yesNo("showAtRegistration"),
|
||||
requiredForPasswordRecovery=>$session->form->yesNo("requiredForPasswordRecovery"),
|
||||
requiredForPasswordRecovery=>$requiredForPasswordRecovery,
|
||||
possibleValues=>$session->form->textarea("possibleValues"),
|
||||
dataDefault=>$session->form->textarea("dataDefault"),
|
||||
fieldType=>$session->form->fieldType("fieldType"),
|
||||
|
|
|
|||
|
|
@ -255,6 +255,16 @@ our $I18N = {
|
|||
lastUpdated => 1071507760
|
||||
},
|
||||
|
||||
'webguiPasswordRecovery hoverHelp' => {
|
||||
message => q|Select "Yes" to permit users who know a particular combination of their profile fields to recover their passwords. In order for this to take effect, at least one profile field must have its "Required for password recovery?" flag turned on. It is highly advisable to pick several fields, as using only one field is usually very easy to break; remember that anyone who discovers all of those fields for a user can reset that user's password.|,
|
||||
lastUpdated => 1071507760
|
||||
},
|
||||
|
||||
'webguiPasswordRecoveryRequireUsername hoverHelp' => {
|
||||
message => q|Select "Yes" if you want users to also have to enter their username for password recovery. Otherwise, they will be able to reset their password and log themselves in by knowing only the other profile fields that are enabled for password recovery, even if they have forgotten their username.|,
|
||||
lastUpdated => 1071507760
|
||||
},
|
||||
|
||||
'recovery template title' => {
|
||||
message => q|WebGUI Authentication Password Recovery Template|,
|
||||
lastUpdated => 1078856556
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue