oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add safeties to avoid password recovery being turned on at all with zero

Browse source 
profile fields selected, to avoid confusion.  Update some documentation.
This commit is contained in:
Drake 2006-12-06 22:31:00 +00:00
parent c909ac9740
commit 574b0313c3
4 changed files with 46 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

20
lib/WebGUI/Auth/WebGUI.pm
View file

@ -423,14 +423,16 @@ sub editUserSettingsForm {
-label=>$i18n->get(18)
);
$f->yesNo(
-name=>"webguiPasswordRecovery",
-value=>$self->session->setting->get("webguiPasswordRecovery"),
-label=>$i18n->get(6)
-name => "webguiPasswordRecovery",
-value => $self->session->setting->get("webguiPasswordRecovery"),
-label => $i18n->get(6),
-hoverHelp => $i18n->get('webguiPasswordRecovery hoverHelp')
);
$f->yesNo(
-name=>"webguiPasswordRecoveryRequireUsername",
-value=>$self->session->setting->get("webguiPasswordRecoveryRequireUsername"),
-label=>$i18n->get('require username for password recovery')
-name => "webguiPasswordRecoveryRequireUsername",
-value => $self->session->setting->get("webguiPasswordRecoveryRequireUsername"),
-label => $i18n->get('require username for password recovery'),
-hoverHelp => $i18n->get('webguiPasswordRecoveryRequireUsername hoverHelp')
);
$f->yesNo(
-name=>"webguiValidateEmail",
@ -490,7 +492,11 @@ sub editUserSettingsFormSave {
$s->set("webguiWelcomeMessage", $f->process("webguiWelcomeMessage","textarea"));
$s->set("webguiChangeUsername", $f->process("webguiChangeUsername","yesNo"));
$s->set("webguiChangePassword", $f->process("webguiChangePassword","yesNo"));
$s->set("webguiPasswordRecovery", $f->process("webguiPasswordRecovery","yesNo"));
# Special case to make sure we have at least one field enabled before allowing
# password recovery to be turned on.
$s->set("webguiPasswordRecovery", $f->process("webguiPasswordRecovery","yesNo") && ($self->session->db->quickArray("SELECT COUNT(*) FROM userProfileField WHERE requiredForPasswordRecovery = 1"))[0] > 0);
$s->set("webguiPasswordRecoveryRequireUsername", $f->process("webguiPasswordRecoveryRequireUsername","yesNo"));
$s->set("webguiValidateEmail", $f->process("webguiValidateEmail","yesNo"));
$s->set("webguiUseCaptcha", $f->process("webguiUseCaptcha","yesNo"));

13
lib/WebGUI/Operation/ProfileSettings.pm
View file

@ -343,13 +343,24 @@ Returns the user to www_editProfileSettings when done.
sub www_editProfileFieldSave {
my $session = shift;
return $session->privilege->adminOnly() unless ($session->user->isInGroup(3));
# Special case for WebGUI auth password recovery.
my $requiredForPasswordRecovery = $session->form->yesNo('requiredForPasswordRecovery');
if ($session->setting->get('authMethod') eq 'WebGUI'
and $session->setting->get('webguiPasswordRecovery')
and not $requiredForPasswordRecovery
and ($session->db->quickArray("SELECT COUNT(*) FROM userProfileField WHERE requiredForPasswordRecovery = 1"))[0] == 1) {
# We'd be turning off the only one. Don't do it.
$requiredForPasswordRecovery = 1;
}
my %data = (
label=>$session->form->text("label"),
editable=>$session->form->yesNo("editable"),
visible=>$session->form->yesNo("visible"),
required=>$session->form->yesNo("required"),
showAtRegistration=>$session->form->yesNo("showAtRegistration"),
requiredForPasswordRecovery=>$session->form->yesNo("requiredForPasswordRecovery"),
requiredForPasswordRecovery=>$requiredForPasswordRecovery,
possibleValues=>$session->form->textarea("possibleValues"),
dataDefault=>$session->form->textarea("dataDefault"),
fieldType=>$session->form->fieldType("fieldType"),

10
lib/WebGUI/i18n/English/AuthWebGUI.pm
View file

@ -255,6 +255,16 @@ our $I18N = {
lastUpdated => 1071507760
},
'webguiPasswordRecovery hoverHelp' => {
message => q|Select "Yes" to permit users who know a particular combination of their profile fields to recover their passwords. In order for this to take effect, at least one profile field must have its "Required for password recovery?" flag turned on. It is highly advisable to pick several fields, as using only one field is usually very easy to break; remember that anyone who discovers all of those fields for a user can reset that user's password.|,
lastUpdated => 1071507760
},
'webguiPasswordRecoveryRequireUsername hoverHelp' => {
message => q|Select "Yes" if you want users to also have to enter their username for password recovery. Otherwise, they will be able to reset their password and log themselves in by knowing only the other profile fields that are enabled for password recovery, even if they have forgotten their username.|,
lastUpdated => 1071507760
},
'recovery template title' => {
message => q|WebGUI Authentication Password Recovery Template|,
lastUpdated => 1078856556