do not use password on asetLastPwdChange in admin actions, as the use of passwords indicates the usage of the functionality in usermode; Handle params for egw_cache::getSession in the correct order

This commit is contained in:
Klaus Leithoff 2011-05-19 10:32:46 +00:00
parent 86ced579db
commit 0b1e444325
3 changed files with 8 additions and 5 deletions

View File

@ -132,8 +132,8 @@ class admin_passwordreset
// force password change on next login
if ((string)$content['mustchangepassword'] !== '' && !(!$content['mustchangepassword'] && $change_pw))
{
$GLOBALS['egw']->auth->setLastPwdChange($account_id, $password,
$content['mustchangepassword'] ? 0 : time());
// dont use password here, as the use of passwords indicates the usage of the functionality in usermode
$GLOBALS['egw']->auth->setLastPwdChange($account_id, null, $content['mustchangepassword'] ? 0 : time());
}
// allow or forbid to change password, if requested
if ((string)$content['changepassword'] !== '')

View File

@ -70,7 +70,7 @@ class auth
// dont check anything for anonymous sessions/ users that are flagged as anonymous
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
static $UserKnowsAboutPwdChange;
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('auth_UserKnowsAboutPwdChange','phpgwapi');
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
// some statics to make information and timecalculation a) more readable in conditions b) persistent per request
static $alpwchange_val;
static $passwordAgeBorder;

View File

@ -210,8 +210,11 @@ class auth_ldap implements auth_backend
*/
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
{
if (!$account_id)
$admin = True;
// Don't allow password changes for other accounts when using XML-RPC
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
{
$admin = False;
$username = $GLOBALS['egw_info']['user']['account_lid'];
}
else
@ -232,7 +235,7 @@ class auth_ldap implements auth_backend
$dn = $allValues[0]['dn'];
if($passwd) // if old password given (not called by admin) --> bind as that user to change the pw
if(!$admin && $passwd) // if old password given (not called by admin) --> bind as that user to change the pw
{
$ds = common::ldapConnect('',$dn,$passwd);
}