Commit f4b43ace authored by Robert Lyon's avatar Robert Lyon

Security bug 1728473: Make forgotpass message more generic

And show it after submission

Also allow captcha field if this is enabled in admin

Change-Id: Ia38d1c6e9b5ec325e8bb91f72dcad3dbf3ed20ef
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 2f96b310
......@@ -19,7 +19,7 @@ require('init.php');
if ($SESSION->get('pwchangerequested')) {
$SESSION->set('pwchangerequested', false);
die_info(get_string('pwchangerequestsent'));
die_info(get_string('pwchangerequestsentfullinfo'));
}
if (isset($_GET['key'])) {
......@@ -96,6 +96,9 @@ $form = array(
'required' => true,
)
),
'captcha' => array(
'type' => 'captcha',
),
'submit' => array(
'type' => 'submit',
'class' => 'btn-primary',
......@@ -104,92 +107,64 @@ $form = array(
)
);
function forgotpass_validate(Pieform $form, $values) {
// See if the user input an email address or a username. We favour email addresses
if (!$form->get_error('emailusername')) {
// Check if the user who associates to username or email address is using the external authentication
if (record_exists_sql('SELECT u.authinstance
FROM {usr} u INNER JOIN {auth_instance} ai ON (u.authinstance = ai.id AND ai.active = 1)
WHERE (LOWER(u.email) = ? OR LOWER(u.username) = ?)
AND ((ai.authname != \'internal\') AND (ai.authname != \'none\'))', array_fill(0, 2, strtolower($values['emailusername'])))) {
$form->set_error('emailusername', get_string('forgotpassuserusingexternalauthentication', 'mahara', get_config('wwwroot') . 'contact.php'), false);
}
else {
if (!($authinstance = get_field_sql('SELECT u.authinstance
FROM {usr} u INNER JOIN {auth_instance} ai ON (u.authinstance = ai.id AND ai.active = 1)
WHERE (LOWER(u.email) = ? OR LOWER(u.username) = ?)
AND ai.authname = \'internal\'', array_fill(0, 2, strtolower($values['emailusername']))))) {
$form->set_error('emailusername', get_string('forgotpassnosuchemailaddressorusername'));
}
}
}
if ($form->get_error('emailusername')) {
return;
}
$authobj = AuthFactory::create($authinstance);
if (!method_exists($authobj, 'change_password')) {
die_info(get_string('cantchangepassword'));
}
}
function forgotpass_submit(Pieform $form, $values) {
global $SESSION;
try {
if (!($user = get_record_sql('SELECT u.* FROM {usr} u
INNER JOIN {auth_instance} ai ON (u.authinstance = ai.id AND ai.active = 1)
WHERE (LOWER(u.email) = ? OR LOWER(u.username) = ?)
AND ai.authname = \'internal\'', array_fill(0, 2, strtolower($values['emailusername']))))) {
die_info(get_string('forgotpassnosuchemailaddressorusername'));
}
$pwrequest = new StdClass;
$pwrequest->usr = $user->id;
$pwrequest->expiry = db_format_timestamp(time() + 86400);
$pwrequest->key = get_random_key();
$sitename = get_config('sitename');
$fullname = display_name($user);
// Override the disabled status of this e-mail address
$user->ignoredisabled = true;
email_user($user, null,
get_string('forgotusernamepasswordemailsubject', 'mahara', $sitename),
get_string('forgotusernamepasswordemailmessagetext', 'mahara',
$fullname,
$sitename,
$user->username,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'contact.php',
$sitename),
get_string('forgotusernamepasswordemailmessagehtml', 'mahara',
$fullname,
$sitename,
$user->username,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'contact.php',
$sitename));
insert_record('usr_password_request', $pwrequest);
}
catch (SQLException $e) {
die_info(get_string('forgotpassemailsendunsuccessful'));
}
catch (EmailException $e) {
die_info(get_string('forgotpassemailsendunsuccessful'));
$sendemail = true;
if (!($user = get_record_sql("SELECT u.*
FROM {usr} u INNER JOIN {auth_instance} ai ON (u.authinstance = ai.id AND ai.active = 1)
WHERE (LOWER(u.email) = ? OR LOWER(u.username) = ?)
AND ai.authname = 'internal'", array_fill(0, 2, strtolower($values['emailusername']))))) {
$sendemail = false;
}
// Add a note if this e-mail address is over the bounce threshold to
// warn users that they may not receive the e-mail
if ($mailinfo = get_record_select('artefact_internal_profile_email', '"owner" = ? AND principal = 1', array($user->id))) {
if (check_overcount($mailinfo)) {
$SESSION->add_info_msg(get_string('forgotpassemailsentanyway1', 'mahara', get_config('sitename')));
if ($sendemail) {
try {
$pwrequest = new StdClass;
$pwrequest->usr = $user->id;
$pwrequest->expiry = db_format_timestamp(time() + 86400);
$pwrequest->key = get_random_key();
$sitename = get_config('sitename');
$fullname = display_name($user);
// Override the disabled status of this e-mail address
$user->ignoredisabled = true;
email_user($user, null,
get_string('forgotusernamepasswordemailsubject', 'mahara', $sitename),
get_string('forgotusernamepasswordemailmessagetext', 'mahara',
$fullname,
$sitename,
$user->username,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'contact.php',
$sitename),
get_string('forgotusernamepasswordemailmessagehtml', 'mahara',
$fullname,
$sitename,
$user->username,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'forgotpass.php?key=' . $pwrequest->key,
get_config('wwwroot') . 'contact.php',
$sitename));
insert_record('usr_password_request', $pwrequest);
}
catch (SQLException $e) {
die_info(get_string('forgotpassemailsendunsuccessful'));
}
catch (EmailException $e) {
die_info(get_string('forgotpassemailsendunsuccessful'));
}
}
// Unsetting disabled status overriding
unset($user->ignoredisabled);
// Add a note if this e-mail address is over the bounce threshold to
// warn users that they may not receive the e-mail
if ($mailinfo = get_record_select('artefact_internal_profile_email', '"owner" = ? AND principal = 1', array($user->id))) {
if (check_overcount($mailinfo)) {
$SESSION->add_info_msg(get_string('forgotpassemailsentanyway1', 'mahara', get_config('sitename')));
}
}
// Unsetting disabled status overriding
unset($user->ignoredisabled);
}
// Add a marker in the session to say that the user has registered
$SESSION->set('pwchangerequested', true);
......
......@@ -494,7 +494,7 @@ $string['forgotusernamepasswordtextprimaryemail'] = '<p>If you have forgotten yo
<p>If you know your username and have forgotten your password, you can also enter your username instead.</p>';
$string['lostusernamepassword'] = 'Lost username / password';
$string['emailaddressorusername'] = 'Email address or username';
$string['pwchangerequestsent'] = 'You should receive an email shortly with a link you can use to change the password for your account.';
$string['pwchangerequestsentfullinfo'] = 'You should receive an email shortly with a link you can use to change the password for your account.<br>If you do not receive an email either the details you entered are incorrect or you normally use external authentication to access the site.';
$string['forgotusernamepasswordemailsubject'] = 'Username / password details for %s';
$string['forgotusernamepasswordemailmessagetext'] = 'Dear %s,
......@@ -530,8 +530,6 @@ $string['forgotusernamepasswordemailmessagehtml'] = '<p>Dear %s,</p>
<p>Regards, %s site administrator</p>';
$string['forgotpassemailsendunsuccessful'] = 'Sorry, it appears that the email could not be sent successfully. This is our fault. Please try again shortly.';
$string['forgotpassemailsentanyway1'] = 'An email was sent to the address stored for this user, but the address may not be correct or the recipient server is returning messages. Please contact the %s administrator to reset your password if you do not receive the email.';
$string['forgotpassnosuchemailaddressorusername'] = 'The email address or username you entered does not match any users for this site';
$string['forgotpassuserusingexternalauthentication'] = 'The user you requested uses an external authentication method. <a href="%s">Ask your administrator</a> for help with changing your password. Or provide another username or email address.';
$string['forgotpasswordenternew'] = 'Please enter your new password to continue.';
$string['nosuchpasswordrequest'] = 'No such password request';
$string['passwordresetexpired'] = 'The password reset key has expired';
......
......@@ -49,7 +49,7 @@ Scenario: Asking for a password reset (Bug 1460911)
Scenario: Trying a username or password that doesn't exist (Bug 1460911)
When I fill in "Email address or username" with "nosuchuser"
And I press "Send request"
Then I should see "The email address or username you entered does not match any users for this site"
Then I should see "If you do not receive an email either the details you entered are incorrect or you normally use external authentication to access the site"
Scenario: Student can't change password to anything on suckypasswords list (Bug #844457)
Given I log in as "UserA" with password "Kupuhipa1"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment