mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-23 14:28:45 +01:00
* API/CheckPasswordAge: new approach to the issue, as we have to take into account that the timestamp of the last password change may not be provided by the auth system. We fetch the timestamp from the authsystem if the method is implemented for the auth method configured (instead of juggling with account_lastpasswd_change or account_lastpwd_change)
This commit is contained in:
parent
bfd686bbac
commit
f7a50ec383
@ -69,33 +69,16 @@ class auth
|
||||
{
|
||||
// dont check anything for anonymous sessions/ users that are flagged as anonymous
|
||||
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
|
||||
// some statics (and initialisation to make information and timecalculation a) more readable in conditions b) persistent per request
|
||||
// if user has to be warned about an upcomming passwordchange, remember for the session, that he was informed
|
||||
static $UserKnowsAboutPwdChange;
|
||||
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
|
||||
// some statics to make information and timecalculation a) more readable in conditions b) persistent per request
|
||||
// retrieve the timestamp regarding the last change of the password from auth system and store it with the session
|
||||
static $alpwchange_val;
|
||||
static $passwordAgeBorder;
|
||||
static $daysLeftUntilChangeReq;
|
||||
// current style name for account last password change timestamp
|
||||
$alpwchange='account_lastpwd_change';
|
||||
// some debug output and develop options to move the horizons and warn levels around
|
||||
//$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] =35;
|
||||
//$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change']=5;
|
||||
//echo egw_time::to('now','ts').'<br>';
|
||||
//echo "User changed password at:".egw_time::to($GLOBALS['egw_info']['user'][$alpwchange]).'<br>';
|
||||
//echo "User password is ".((egw_time::to('now','ts')-$GLOBALS['egw_info']['user'][$alpwchange])/86400)." days old<br>";
|
||||
//echo "Users must change passwords every ".$GLOBALS['egw_info']['server']['change_pwd_every_x_days'].' days ('.($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).') seconds.<br>';
|
||||
//echo egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).'<br>';
|
||||
|
||||
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
|
||||
if (!isset($GLOBALS['egw_info']['user']['account_lastpasswd_change']) &&
|
||||
!isset($GLOBALS['egw_info']['user'][$alpwchange]) &&
|
||||
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
|
||||
) return true;
|
||||
if ($GLOBALS['egw_info']['user']['account_lastpasswd_change'] && !$GLOBALS['egw_info']['user'][$alpwchange])
|
||||
static $pwdTsChecked;
|
||||
if (is_null($pwdTsChecked) && is_null($alpwchange_val))
|
||||
{
|
||||
// use old style names, as the current one seems not to be set.
|
||||
$alpwchange = 'account_lastpasswd_change';
|
||||
}
|
||||
$alpwchange_val =& egw_cache::getSession('phpgwapi','auth_alpwchange_val'); // set that one with the session stored value
|
||||
// initalize statics - better readability of conditions
|
||||
if (is_null($alpwchange_val))
|
||||
{
|
||||
@ -103,9 +86,35 @@ class auth
|
||||
$backend = new $backend_class;
|
||||
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
|
||||
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
|
||||
if (method_exists($backend,'getLastPwdChange')) $alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
|
||||
if (is_null($alpwchange_val) || $alpwchange_val === false) $alpwchange_val = $GLOBALS['egw_info']['user'][$alpwchange];
|
||||
if (method_exists($backend,'getLastPwdChange'))
|
||||
{
|
||||
$alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw_info']['user']['account_lid']);
|
||||
$pwdTsChecked = true;
|
||||
}
|
||||
// if your authsystem does not provide that information, its likely, that you cannot change your password there,
|
||||
// thus checking for expiration, is not needed
|
||||
if ($alpwchange_val === false)
|
||||
{
|
||||
$alpwchange_val = null;
|
||||
}
|
||||
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
|
||||
}
|
||||
}
|
||||
static $passwordAgeBorder;
|
||||
static $daysLeftUntilChangeReq;
|
||||
// some debug output and develop options to move the horizons and warn levels around
|
||||
//$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] =35;
|
||||
//$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change']=5;
|
||||
//echo egw_time::to('now','ts').'<br>';
|
||||
//echo "User changed password at:".egw_time::to($GLOBALS['egw_info']['user'][$alpwchange]).'<br>';
|
||||
//echo "User password is ".((egw_time::to('now','ts')-$GLOBALS['egw_info']['user'][$alpwchange])/86400)." days old<br>";
|
||||
//echo "Users must change passwords every ".$GLOBALS['egw_info']['server']['change_pwd_every_x_days'].' days ('.($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).') seconds.<br>';
|
||||
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
|
||||
//echo egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400).'<br>';
|
||||
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
|
||||
if (is_null($alpwchange_val) &&
|
||||
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
|
||||
) return true;
|
||||
if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
|
||||
{
|
||||
$passwordAgeBorder = (egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
|
||||
@ -113,7 +122,7 @@ class auth
|
||||
if (is_null($daysLeftUntilChangeReq) && $GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'])
|
||||
{
|
||||
// maxage - passwordage = days left until change is required
|
||||
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-$alpwchange_val)/86400));
|
||||
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-($alpwchange_val?$alpwchange_val:0))/86400));
|
||||
}
|
||||
//echo "Warn about the upcomming change ".$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'].' days before that time is reached<br>';
|
||||
//$result = $GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - $daysLeftUntilChangeReq;
|
||||
@ -135,6 +144,8 @@ class auth
|
||||
{
|
||||
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences')) return true; // user has no rights to change password
|
||||
if ($UserKnowsAboutPwdChange === true && !($passwordAgeBorder > $alpwchange_val || $alpwchange_val==0)) return true; // user has already been informed about the upcomming password expiration
|
||||
if (!is_null($alpwchange_val))
|
||||
{
|
||||
if ($alpwchange_val == 0)
|
||||
{
|
||||
$message = lang('an admin required that you must change your password upon login.');
|
||||
@ -153,13 +164,14 @@ class auth
|
||||
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
|
||||
{
|
||||
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
|
||||
'ts'=>$GLOBALS['egw_info']['user']['account_lastpwd_change'],
|
||||
'date'=>egw_time::to($GLOBALS['egw_info']['user']['account_lastpwd_change']))));
|
||||
'ts'=> $alpwchange_val,
|
||||
'date'=>egw_time::to($alpwchange_val))));
|
||||
$message = lang('it has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
|
||||
}
|
||||
if ($GLOBALS['egw_info']['user']['apps']['password']) egw::redirect_link('/preferences/password.php',array('message'=>$message));
|
||||
egw::redirect_link('/index.php',array('menuaction'=>'preferences.uipassword.change','message'=>$message));
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -52,12 +52,12 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setSession(__CLASS__,'backend_used','primary');
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
|
||||
return true;
|
||||
}
|
||||
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setSession(__CLASS__,'backend_used','fallback');
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
@ -76,10 +76,62 @@ class auth_fallback implements auth_backend
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||
}
|
||||
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||
}
|
||||
|
||||
/**
|
||||
* fetch the last pwd change for the user
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @return mixed false or account_lastpwd_change
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->getLastPwdChange($username);
|
||||
}
|
||||
|
||||
/**
|
||||
* changes account_lastpwd_change in sql datababse
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
}
|
||||
}
|
||||
|
@ -52,12 +52,12 @@ class auth_fallbackmail2sql implements auth_backend
|
||||
{
|
||||
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setSession(__CLASS__,'backend_used','primary');
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
|
||||
return true;
|
||||
}
|
||||
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setSession(__CLASS__,'backend_used','fallback');
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
@ -76,10 +76,62 @@ class auth_fallbackmail2sql implements auth_backend
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||
}
|
||||
|
||||
/**
|
||||
* fetch the last pwd change for the user
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @return mixed false or account_lastpwd_change
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->getLastPwdChange($username);
|
||||
}
|
||||
|
||||
/**
|
||||
* changes account_lastpwd_change in sql datababse
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
}
|
||||
}
|
||||
|
@ -245,6 +245,8 @@ class auth_ldap implements auth_backend
|
||||
{
|
||||
return false;
|
||||
}
|
||||
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
|
||||
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',(is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange));
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -281,7 +283,10 @@ class auth_ldap implements auth_backend
|
||||
$allValues = ldap_get_entries($ds, $sri);
|
||||
|
||||
$entry['userpassword'] = auth::encrypt_password($new_passwd);
|
||||
if ($update_lastchange) $entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
|
||||
if ($update_lastchange)
|
||||
{
|
||||
$entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
|
||||
}
|
||||
|
||||
$dn = $allValues[0]['dn'];
|
||||
|
||||
@ -296,6 +301,8 @@ class auth_ldap implements auth_backend
|
||||
if($old_passwd) // if old password given (not called by admin) update the password in the session
|
||||
{
|
||||
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
|
||||
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
|
||||
egw_cache::setSession('phpgwapi','auth_alpwchange_val',time());
|
||||
}
|
||||
return $entry['userpassword'];
|
||||
}
|
||||
|
@ -176,14 +176,15 @@ class auth_sql implements auth_backend
|
||||
{
|
||||
return false;
|
||||
}
|
||||
$lastpwdchange = (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange);
|
||||
$this->db->update($this->table,array(
|
||||
'account_lastpwd_change' => (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange),
|
||||
'account_lastpwd_change' => $lastpwdchange,
|
||||
),array(
|
||||
'account_id' => $account_id,
|
||||
),__LINE__,__FILE__);
|
||||
|
||||
if(!$this->db->affected_rows()) return false;
|
||||
|
||||
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',$lastpwdchange);
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -251,6 +252,7 @@ class auth_sql implements auth_backend
|
||||
|
||||
if(!$admin)
|
||||
{
|
||||
egw_cache::setSession('phpgwapi','auth_alpwchange_val',$update['account_lastpwd_change']);
|
||||
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
|
||||
}
|
||||
return $encrypted_passwd;
|
||||
|
Loading…
Reference in New Issue
Block a user