public function testPasswordAssisstanceSession() { global $ilUser; include_once "./include/inc.pwassist_session_handler.php"; $result = ""; // write session db_pwassist_session_write("12345", 60, $ilUser->getId()); // find $res = db_pwassist_session_find($ilUser->getId()); if ($res["pwassist_id"] == "12345") { $result .= "find-"; } // read $res = db_pwassist_session_read("12345"); if ($res["user_id"] == $ilUser->getId()) { $result .= "read-"; } // destroy db_pwassist_session_destroy("12345"); $res = db_pwassist_session_read("12345"); if (!$res) { $result .= "destroy-"; } db_pwassist_session_gc(); $this->assertEquals("find-read-destroy-", $result); }
/** Reads the submitted data from the password assistance form. * * The following form fields are read as HTTP POST parameters: * key * username * password1 * password2 * * The key is used to retrieve the password assistance session. * If the key is missing, or if the password assistance session has expired, the * password assistance form will be shown instead of this form. * * If the password assistance session is valid, and if the username matches the * username, for which the password assistance has been requested, and if the * new password is valid, ILIAS assigns the password to the user. * * Note: To prevent replay attacks, the session is deleted when the * password has been assigned successfully. */ function submitAssignPasswordForm() { global $tpl, $ilias, $lng, $rbacadmin, $rbacreview; require_once "include/inc.pwassist_session_handler.php"; // Retrieve form data $pwassist_id = ilUtil::stripSlashes($_POST["key"]); $username = ilUtil::stripSlashes($_POST["username"]); $password1 = ilUtil::stripSlashes($_POST["password1"]); $password2 = ilUtil::stripSlashes($_POST["password2"]); // Retrieve the session $pwassist_session = db_pwassist_session_read($pwassist_id); if (count($pwassist_session) == 0 || $pwassist_session["expires"] < time()) { $this->showAssistanceForm($lng->txt("pwassist_session_expired")); } else { $is_successful = true; $message = ""; $userObj = new ilObjUser($pwassist_session["user_id"]); // Validate the entries of the user // ---------------------------------- // check if the user still exists if ($userObj == null) { $message = $lng->txt("user_does_not_exist"); $is_successful = false; } // check if the username entered by the user matches the // one of the user object. if ($is_successful && strcasecmp($userObj->getLogin(), $username) != 0) { $message = $lng->txt("pwassist_login_not_match"); $is_successful = false; } // check if the user entered the password correctly into the // two entry fields. if ($is_successful && $password1 != $password2) { $message = $lng->txt("passwd_not_match"); $is_successful = false; } // validate the password if ($is_successful && !ilUtil::isPassword($password1)) { $message = $lng->txt("passwd_invalid"); $is_successful = false; } // End of validation // If the validation was successful, we change the password of the // user. // ------------------ if ($is_successful) { $is_successful = $userObj->resetPassword($password1, $password2); if (!$is_successful) { $message = $lng->txt("passwd_invalid"); } } // If we are successful so far, we update the user object. // ------------------ if ($is_successful) { $is_successfull = $userObj->update(); if (!$is_successful) { $message = $lng->txt("update_error"); } } // If we are successful, we destroy the password assistance // session and redirect to the login page. // Else we display the form again along with an error message. // ------------------ if ($is_successful) { db_pwassist_session_destroy($pwassist_id); $this->showMessageForm(null, sprintf($lng->txt("pwassist_password_assigned"), $username)); } else { $this->showAssignPasswordForm($message, $username, $password1, $password2, $pwassist_id); } } }
/** * Reads the submitted data from the password assistance form. * The following form fields are read as HTTP POST parameters: * key * username * password1 * password2 * The key is used to retrieve the password assistance session. * If the key is missing, or if the password assistance session has expired, the * password assistance form will be shown instead of this form. * If the password assistance session is valid, and if the username matches the * username, for which the password assistance has been requested, and if the * new password is valid, ILIAS assigns the password to the user. * Note: To prevent replay attacks, the session is deleted when the * password has been assigned successfully. */ public function submitAssignPasswordForm() { require_once 'include/inc.pwassist_session_handler.php'; // We need to fetch this before form instantiation $pwassist_id = ilUtil::stripSlashes($_POST['key']); $form = $this->getAssignPasswordForm($pwassist_id); if (!$form->checkInput()) { $form->setValuesByPost(); return; } $username = $form->getInput('username'); $password = $form->getInput('password'); $pwassist_id = $form->getInput('key'); // Retrieve the session $pwassist_session = db_pwassist_session_read($pwassist_id); if (count($pwassist_session) == 0 || $pwassist_session['expires'] < time()) { ilUtil::sendFailure(str_replace("\\n", '', $this->lng->txt('pwassist_session_expired'))); $form->setValuesByPost(); $this->showAssistanceForm($form); return; } else { $is_successful = true; $message = ''; $userObj = new ilObjUser($pwassist_session['user_id']); if ($userObj == null) { $message = $this->lng->txt('user_does_not_exist'); $is_successful = false; } // check if the username entered by the user matches the // one of the user object. if ($is_successful && strcasecmp($userObj->getLogin(), $username) != 0) { $message = $this->lng->txt('pwassist_login_not_match'); $is_successful = false; } $error_lng_var = ''; if (!ilUtil::isPasswordValidForUserContext($password, $userObj, $error_lng_var)) { $message = $this->lng->txt($error_lng_var); $is_successful = false; } // End of validation // If the validation was successful, we change the password of the // user. // ------------------ if ($is_successful) { $is_successful = $userObj->resetPassword($password, $password); if (!$is_successful) { $message = $this->lng->txt('passwd_invalid'); } } // If we are successful so far, we update the user object. // ------------------ if ($is_successful) { $userObj->update(); } // If we are successful, we destroy the password assistance // session and redirect to the login page. // Else we display the form again along with an error message. // ------------------ if ($is_successful) { db_pwassist_session_destroy($pwassist_id); $this->showMessageForm(sprintf($this->lng->txt('pwassist_password_assigned'), $username)); } else { ilUtil::sendFailure(str_replace("\\n", '', $message)); $form->setValuesByPost(); $this->showAssignPasswordForm($form, $pwassist_id); } } }