From f87e32452a1312da49278fddd83260815a9c266f Mon Sep 17 00:00:00 2001 From: Doug Bell Date: Thu, 5 Jun 2008 18:25:24 +0000 Subject: [PATCH] fixed: Password recovery no longer allows disabled users to recover or log in --- docs/changelog/7.x.x.txt | 2 + lib/WebGUI/Auth/WebGUI.pm | 91 +++++++++++++++---------- lib/WebGUI/Operation/ProfileSettings.pm | 12 ---- lib/WebGUI/i18n/English/AuthWebGUI.pm | 5 ++ 4 files changed, 61 insertions(+), 49 deletions(-) diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index 2b0e3c56f..b821558fe 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -94,6 +94,8 @@ - added: Show a Message when users login - added: Two new approval activities, ByCommitterGroup and ByLineage - fixed: Gallery Search form doesn't work right in IE6 + - fixed: Password Recovery now only works for Active users and does not allow + deactivated users to log in 7.5.10 - fix: Syntax error in GetCsMail diff --git a/lib/WebGUI/Auth/WebGUI.pm b/lib/WebGUI/Auth/WebGUI.pm index e6152d07b..6aceb25bc 100644 --- a/lib/WebGUI/Auth/WebGUI.pm +++ b/lib/WebGUI/Auth/WebGUI.pm @@ -710,12 +710,17 @@ sub recoverPassword { sub emailRecoverPassword { my $self = shift; - + my $error = shift; my $i18n = WebGUI::International->new($self->session); + my $output - = "

" . $i18n->get('recover password banner', 'AuthWebGUI') . "



" + = "

" . $i18n->get('recover password banner', 'AuthWebGUI') . "

" . "

" . $i18n->get('email recover password start message', 'AuthWebGUI') ."

" ; + + if ( $error ) { + $output .= '

' . $error . '

'; + } my $f = WebGUI::HTMLForm->new($self->session); @@ -867,8 +872,14 @@ sub profileRecoverPasswordFinish { # Exactly one result. my $userId = $userIds[0]; - my ($password, $passwordConfirm) = ($self->session->form->process('authWebGUI.identifier'), $self->session->form->process('authWebGUI.identifierConfirm')); + # Make sure the userId is not disabled + my $user = WebGUI::User->new($self->session, $userId); + if ( $user->status ne "Active" ) { + return $self->recoverPassword( $i18n2->get( 'password recovery disabled' ) ); + } + + my ($password, $passwordConfirm) = ($self->session->form->process('authWebGUI.identifier'), $self->session->form->process('authWebGUI.identifierConfirm')); unless (defined $password and defined $passwordConfirm) { my $vars = {}; $vars->{title} = $i18n->get(71); @@ -917,7 +928,7 @@ sub profileRecoverPasswordFinish { } if ($self->_isValidPassword($password, $passwordConfirm)) { - $self->user(WebGUI::User->new($self->session, $userId)); + $self->user( $user ); $self->saveParams($userId, $self->authMethod, { identifier => Digest::MD5::md5_base64($password), passwordLastUpdated => $self->session->datetime->time }); @@ -931,43 +942,49 @@ sub profileRecoverPasswordFinish { #------------------------------------------------------------------- sub emailRecoverPasswordFinish { - my $self = shift; - return $self->displayLogin unless ($self->session->setting->get('webguiPasswordRecovery') ne '') and $self->userId eq '1'; + my $self = shift; + return $self->displayLogin unless ($self->session->setting->get('webguiPasswordRecovery') ne '') and $self->userId eq '1'; - my $i18n = WebGUI::International->new($self->session); - my $session = $self->session; - my ($form) = $session->quick(qw/form/); - my $email = $form->param('email'); - my $username = $form->param('username'); - my $user; - -# get user from email - $user = WebGUI::User->newByEmail($session, $email) if $email; -# get user from username - if ($username) { - $user = WebGUI::User->newByUsername($session, $username) unless $user; - } -# return error unless we get a valid user. - - unless ($user) { - return $i18n->get('recover password not found', 'AuthWebGUI'); - } + my $i18n = WebGUI::International->new($self->session); + my $i18n2 = WebGUI::International->new($self->session, 'AuthWebGUI'); + my $session = $self->session; + my ($form) = $session->quick(qw/form/); + my $email = $form->param('email'); + my $username = $form->param('username'); + my $user; -# generate information necessry to proceed - my $recoveryGuid = $session->id->generate(); - my $url = $session->url->getSiteURL; - my $userId = $user->userId; #get the user guid - $email = $user->profileField('email') unless $email; #get email address from the profile, unless we already have it + # get user from email + $user = WebGUI::User->newByEmail($session, $email) if $email; + # get user from username + if ($username) { + $user = WebGUI::User->newByUsername($session, $username) unless $user; + } - my $authsettings = $self->getParams($userId); - $authsettings->{emailRecoverPasswordVerificationNumber} = $recoveryGuid; + # return error unless we get a valid user.\ + unless ($user) { + return $self->recoverPassword( $i18n->get('recover password not found', 'AuthWebGUI') ); + } - $self->saveParams($userId, 'WebGUI', $authsettings); - - my $mail = WebGUI::Mail::Send->create($session, { to=>$email, subject=>'WebGUI password recovery'}); - $mail->addText($i18n->get('recover password email text1', 'AuthWebGUI') . $url. ". \n\n".$i18n->get('recover password email text2', 'AuthWebGUI')." \n\n ".$url."?op=auth;method=emailResetPassword;token=$recoveryGuid"."\n\n ". $i18n->get('recover password email text3', 'AuthWebGUI')); - $mail->send; - return "

". $i18n->get('recover password banner', 'AuthWebGUI')."



". $i18n->get('email recover password finish message1', 'AuthWebGUI'). $email . $i18n->get('email recover password finish message2', 'AuthWebGUI') . "

"; + # Make sure the user is Active + if ( $user->status ne "Active" ) { + return $self->recoverPassword( $i18n2->get( 'password recovery disabled' ) ); + } + + # generate information necessry to proceed + my $recoveryGuid = $session->id->generate(); + my $url = $session->url->getSiteURL; + my $userId = $user->userId; #get the user guid + $email = $user->profileField('email') unless $email; #get email address from the profile, unless we already have it + + my $authsettings = $self->getParams($userId); + $authsettings->{emailRecoverPasswordVerificationNumber} = $recoveryGuid; + + $self->saveParams($userId, 'WebGUI', $authsettings); + + my $mail = WebGUI::Mail::Send->create($session, { to=>$email, subject=>'WebGUI password recovery'}); + $mail->addText($i18n->get('recover password email text1', 'AuthWebGUI') . $url. ". \n\n".$i18n->get('recover password email text2', 'AuthWebGUI')." \n\n ".$url."?op=auth;method=emailResetPassword;token=$recoveryGuid"."\n\n ". $i18n->get('recover password email text3', 'AuthWebGUI')); + $mail->send; + return "

". $i18n->get('recover password banner', 'AuthWebGUI')."



". $i18n->get('email recover password finish message1', 'AuthWebGUI'). $email . $i18n->get('email recover password finish message2', 'AuthWebGUI') . "

"; } #------------------------------------------------------------------- diff --git a/lib/WebGUI/Operation/ProfileSettings.pm b/lib/WebGUI/Operation/ProfileSettings.pm index f0591a7fe..a6930c456 100644 --- a/lib/WebGUI/Operation/ProfileSettings.pm +++ b/lib/WebGUI/Operation/ProfileSettings.pm @@ -302,18 +302,6 @@ sub www_editProfileField { -value=>ucfirst $data->{fieldType}, -defaultValue=>"Text", ); - my @profileForms = (); - foreach my $form ( sort @{ $fieldType->getTypes() }) { - next if $form eq 'DynamicField'; - my $w = eval { WebGUI::Pluggable::instanciate("WebGUI::Form::".$form, "new", [$session]) }; - if ($@) { - $session->errorHandler->error($@); - next; - } - push @profileForms, $form if $w->isDynamicCompatible(); - } - - $fieldType->set("types", \@profileForms); $f->raw($fieldType->toHtmlWithWrapper()); $f->textarea( -name => "possibleValues", diff --git a/lib/WebGUI/i18n/English/AuthWebGUI.pm b/lib/WebGUI/i18n/English/AuthWebGUI.pm index 4cc3fd176..e400bd085 100644 --- a/lib/WebGUI/i18n/English/AuthWebGUI.pm +++ b/lib/WebGUI/i18n/English/AuthWebGUI.pm @@ -639,6 +639,11 @@ our $I18N = { lastUpdated => 0, }, + 'password recovery disabled' => { + message => q{Your account has been disabled. You cannot recover your password until it is activated.}, + lastUpdated => 0, + context => q{Error message when a user tries to recover password for a disabled account}, + }, }; 1;