From cc204bbd1f1625352ddd0edaacdd297fe022881c Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Mon, 31 Oct 2011 15:41:53 +0100 Subject: honor autopasswd setting for resend password When autopasswd is disabled, the resend password option now asks for a new password instead of autogenerating a new one and sending it by mail. Note to translators: the wording for btn_resendpwd and resendpwd changed to be more universal. English and German language files where updated - other languages need to be adjusted. Conflicts: inc/lang/en/lang.php --- inc/auth.php | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index eff984b36..740a75a5c 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -852,32 +852,52 @@ function act_resendpwd(){ $token = preg_replace('/[^a-f0-9]+/','',$_REQUEST['pwauth']); if($token){ - // we're in token phase + // we're in token phase - get user info from token $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; if(!@file_exists($tfile)){ msg($lang['resendpwdbadauth'],-1); + unset($_REQUEST['pwauth']); return false; } $user = io_readfile($tfile); - @unlink($tfile); $userinfo = $auth->getUserData($user); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; } - $pass = auth_pwgen(); - if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) { - msg('error modifying user data',-1); - return false; - } - if (auth_sendPassword($user,$pass)) { - msg($lang['resendpwdsuccess'],1); - } else { - msg($lang['regmailfail'],-1); + if(!$conf['autopasswd']){ // we let the user choose a password + // password given correctly? + if(!isset($_REQUEST['pass']) || $_REQUEST['pass'] == '') return false; + if($_REQUEST['pass'] != $_REQUEST['passchk']){ + msg('password mismatch',-1); #FIXME localize + return false; + } + $pass = $_REQUEST['pass']; + + if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) { + msg('error modifying user data',-1); + return false; + } + + }else{ // autogenerate the password and send by mail + + $pass = auth_pwgen(); + if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) { + msg('error modifying user data',-1); + return false; + } + + if (auth_sendPassword($user,$pass)) { + msg($lang['resendpwdsuccess'],1); + } else { + msg($lang['regmailfail'],-1); + } } + + @unlink($tfile); return true; } else { -- cgit v1.2.3 From 48d7b7a6544f9cecba4b776c782a3891b28fb300 Mon Sep 17 00:00:00 2001 From: Dominik Eckelmann Date: Tue, 20 Dec 2011 13:50:37 +0100 Subject: use in_array to filter groups instead of preg_grep for acl the usage of preg_grep can result in "regular expression is too large" warnings, which leads to errors in auth_aclcheck. --- inc/auth.php | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e0f58e5f2..941dcb8d6 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -523,18 +523,19 @@ function auth_aclcheck($id,$user,$groups){ $groups[] = '@ALL'; //add User if($user) $groups[] = $user; - //build regexp - $regexp = join('|',$groups); }else{ - $regexp = '@ALL'; + $groups[] = '@ALL'; } //check exact match first - $matches = preg_grep('/^'.preg_quote($id,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($id,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL); if(count($matches)){ foreach($matches as $match){ $match = preg_replace('/#.*$/','',$match); //ignore comments $acl = preg_split('/\s+/',$match); + if (!in_array($acl[1], $groups)) { + continue; + } if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL! if($acl[2] > $perm){ $perm = $acl[2]; @@ -554,20 +555,24 @@ function auth_aclcheck($id,$user,$groups){ } do{ - $matches = preg_grep('/^'.preg_quote($path,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL); if(count($matches)){ foreach($matches as $match){ $match = preg_replace('/#.*$/','',$match); //ignore comments $acl = preg_split('/\s+/',$match); + if (!in_array($acl[1], $groups)) { + continue; + } if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL! if($acl[2] > $perm){ $perm = $acl[2]; } } //we had a match - return it - return $perm; + if ($perm != -1) { + return $perm; + } } - //get next higher namespace $ns = getNS($ns); @@ -582,9 +587,6 @@ function auth_aclcheck($id,$user,$groups){ return AUTH_NONE; } }while(1); //this should never loop endless - - //still here? return no permissions - return AUTH_NONE; } /** -- cgit v1.2.3 From 451e1b4dc1985d10b3aeaeeaf23d5498ce87032b Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 17 Feb 2012 14:10:10 +0100 Subject: use correct lang string for password mismatch --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 740a75a5c..437a82a82 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -872,7 +872,7 @@ function act_resendpwd(){ // password given correctly? if(!isset($_REQUEST['pass']) || $_REQUEST['pass'] == '') return false; if($_REQUEST['pass'] != $_REQUEST['passchk']){ - msg('password mismatch',-1); #FIXME localize + msg($lang['regbadpass'],-1); return false; } $pass = $_REQUEST['pass']; -- cgit v1.2.3 From 8a9735e34dc99c24355e0aee74a3cd49aa3b1492 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 19 Feb 2012 13:38:31 +0100 Subject: added a timelimit for password reset tokens passwords now need to be reset within 3 days of requesting the password change mail --- inc/auth.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 437a82a82..4e11288e1 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -860,6 +860,14 @@ function act_resendpwd(){ unset($_REQUEST['pwauth']); return false; } + // token is only valid for 3 days + if( (time() - filemtime($tfile)) > (3*60*60*24) ){ + msg($lang['resendpwdbadauth'],-1); + unset($_REQUEST['pwauth']); + @unlink($tfile); + return false; + } + $user = io_readfile($tfile); $userinfo = $auth->getUserData($user); if(!$userinfo['mail']) { -- cgit v1.2.3