Exemple #1
0
/**
 * Reset the user's password
 *  Take into account the 'send_reset_password' setting
 *   - if it is ON, generate a random password and send an email
 *      (unless the second parameter is false)
 *   - if it is OFF, set the password to blank
 *  Return false if the user is protected, true if the password was
 *   successfully reset
 *
 * @param integer $p_user_id    A valid user identifier.
 * @param boolean $p_send_email Whether to send confirmation email.
 * @return boolean
 */
function user_reset_password($p_user_id, $p_send_email = true)
{
    $t_protected = user_get_field($p_user_id, 'protected');
    # Go with random password and email it to the user
    if (ON == $t_protected) {
        return false;
    }
    # @@@ do we want to force blank password instead of random if
    #      email notifications are turned off?
    #     How would we indicate that we had done this with a return value?
    #     Should we just have two functions? (user_reset_password_random()
    #     and user_reset_password() )?
    if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) {
        $t_email = user_get_field($p_user_id, 'email');
        if (is_blank($t_email)) {
            trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR);
        }
        # Create random password
        $t_password = auth_generate_random_password();
        $t_password2 = auth_process_plain_password($t_password);
        user_set_field($p_user_id, 'password', $t_password2);
        # Send notification email
        if ($p_send_email) {
            $t_confirm_hash = auth_generate_confirm_hash($p_user_id);
            email_send_confirm_hash_url($p_user_id, $t_confirm_hash);
        }
    } else {
        # use blank password, no emailing
        $t_password = auth_process_plain_password('');
        user_set_field($p_user_id, 'password', $t_password);
        # reset the failed login count because in this mode there is no emailing
        user_reset_failed_login_count_to_zero($p_user_id);
    }
    return true;
}
Exemple #2
0
/**
 * Return true if the password for the user id given matches the given
 * password (taking into account the global login method)
 * @param int $p_user_id User id to check password against
 * @param string $p_test_password Password
 * @return bool indicating whether password matches given the user id
 * @access public
 */
function auth_does_password_match($p_user_id, $p_test_password)
{
    $t_configured_login_method = config_get('login_method');
    if (LDAP == $t_configured_login_method) {
        return ldap_authenticate($p_user_id, $p_test_password);
    }
    $t_password = user_get_field($p_user_id, 'password');
    $t_login_methods = array(MD5, CRYPT, PLAIN);
    foreach ($t_login_methods as $t_login_method) {
        # pass the stored password in as the salt
        if (auth_process_plain_password($p_test_password, $t_password, $t_login_method) == $t_password) {
            # Do not support migration to PLAIN, since this would be a crazy thing to do.
            # Also if we do, then a user will be able to login by providing the MD5 value
            # that is copied from the database.  See #8467 for more details.
            if ($t_configured_login_method != PLAIN && $t_login_method == PLAIN) {
                continue;
            }
            # Check for migration to another login method and test whether the password was encrypted
            # with our previously insecure implemention of the CRYPT method
            if ($t_login_method != $t_configured_login_method || CRYPT == $t_configured_login_method && utf8_substr($t_password, 0, 2) == utf8_substr($p_test_password, 0, 2)) {
                user_set_password($p_user_id, $p_test_password, true);
            }
            return true;
        }
    }
    return false;
}
function auth_set_login_cookies($username, $password)
{
    # when using encryption, encrypt password cookie
    if (LOGIN_METHOD == 'MD5') {
        $processed_password = auth_process_plain_password($password);
    } else {
        $processed_password = $password;
    }
    util_set_cookie(USER_COOKIE_NAME, $username);
    util_set_cookie(PWD_COOKIE_NAME, $processed_password);
}
function user_reset_password($reset_link, $new_password)
{
    $tbl_reset_pass = RESET_PASS_TBL;
    $f_reset_pass_id = $tbl_reset_pass . "." . RESET_PASS_ID;
    $f_reset_pass_link = $tbl_reset_pass . "." . RESET_PASS_LINK;
    $f_reset_pass_user = $tbl_reset_pass . "." . RESET_PASS_USER;
    $f_reset_pass_used = $tbl_reset_pass . "." . RESET_PASS_RESET_USED;
    $f_reset_pass_expires = $tbl_reset_pass . "." . RESET_PASS_EXPIRES;
    $tbl_user = USER_TBL;
    $f_user_id = $tbl_user . "." . USER_ID;
    $f_username = $tbl_user . "." . USER_UNAME;
    $f_email = $tbl_user . "." . USER_EMAIL;
    $f_first_name = $tbl_user . "." . USER_FNAME;
    $f_last_name = $tbl_user . "." . USER_LNAME;
    $f_phone = $tbl_user . "." . USER_PHONE;
    $f_password = $tbl_user . "." . USER_PWORD;
    $f_tempest_admin = $tbl_user . "." . USER_ADMIN;
    $f_user_default_project = $tbl_user . "." . USER_DEFAULT_PROJECT;
    global $db;
    # fetch the users email address where the record has not expired,
    # and reset link has not already been accessed
    $current_date = date_get_short_dt();
    $q = "\tSELECT {$f_reset_pass_user}\n\t\t\tFROM {$tbl_reset_pass}\n\t\t\tWHERE {$f_reset_pass_link} = '{$reset_link}'\n\t\t\t\tAND {$f_reset_pass_expires} > '{$current_date}'\n\t\t\t\tAND {$f_reset_pass_used} = 'N'";
    $email = db_get_one($db, $q);
    # if a users email address was returned
    if ($email) {
        # mark the reset link as used
        $q = "\tUPDATE {$tbl_reset_pass}\n\t\t\t\tSET {$f_reset_pass_used} = 'Y'\n\t\t\t\tWHERE {$f_reset_pass_link} = '{$reset_link}'";
        db_query($db, $q);
        # encrypt password
        if (LOGIN_METHOD == 'MD5') {
            $new_password = auth_process_plain_password($new_password);
        }
        # change the users password
        $q = "\tUPDATE {$tbl_user}\n\t\t\t\tSET {$f_password} = '{$new_password}'\n\t\t\t\tWHERE {$f_email} = '{$email}'";
        db_query($db, $q);
    }
    return $email;
}
 public function put($request)
 {
     /**
      * 	Updates the user.
      *
      *      @param $request - The Request we're responding to
      */
     $this->user_id = User::get_mantis_id_from_url($request->url);
     if (!access_has_global_level(config_get('manage_user_threshold')) && auth_get_current_user_id() != $this->user_id) {
         throw new HTTPException(403, "Access denied to edit user {$this->user_id}'s info");
     }
     $this->populate_from_repr($request->body);
     # Do some validation on the inputs (from Mantis's user_create())
     $username = db_prepare_string($this->rsrc_data['username']);
     $realname = db_prepare_string($this->rsrc_data['realname']);
     $password = db_prepare_string($this->rsrc_data['password']);
     $email = db_prepare_string($this->rsrc_data['email']);
     $access_level = db_prepare_int(get_string_to_enum(config_get('access_levels_enum_string'), $this->rsrc_data['access_level']));
     $protected = db_prepare_bool($this->rsrc_data['protected']);
     $enabled = db_prepare_bool($this->rsrc_data['enabled']);
     user_ensure_name_valid($username);
     user_ensure_realname_valid($realname);
     user_ensure_realname_unique($username, $realname);
     email_ensure_valid($email);
     # The cookie string is based on email and username, so if either of those changed,
     # we have to change the cookie string.
     $user_row = user_get_row($this->user_id);
     $username_key = array_key_exists('username', $user_row) ? 'username' : 1;
     $email_key = array_key_exists('email', $user_row) ? 'email' : 3;
     $cookie_string_key = array_key_exists('cookie_string', $user_row) ? 'cookie_string' : 13;
     if ($user_row[$username_key] != $username || $user_row[$email_key] != $email) {
         $seed = $email . $username;
         $cookie_string = auth_generate_unique_cookie_string($seed);
     } else {
         $cookie_string = $user_row[$cookie_string_key];
     }
     $password_hash = auth_process_plain_password($password);
     $user_table = config_get('mantis_user_table');
     $query = "UPDATE  {$user_table}\n\t\t\t\tSET username = '******',\n\t\t\t\t    realname = '{$realname}',\n\t\t\t\t    email = '{$email}',\n\t\t\t\t    password = '******',\n\t\t\t\t    enabled = {$enabled},\n\t\t\t\t    protected = {$protected},\n\t\t\t\t    access_level = {$access_level},\n\t\t\t\t    cookie_string = '{$cookie_string}'\n\t\t\t\tWHERE id = {$this->user_id};";
     db_query($query);
     $resp = new Response();
     $resp->status = 204;
     return $resp;
 }
function auth_does_password_match($p_user_id, $p_test_password)
{
    $t_configured_login_method = config_get('login_method');
    if (LDAP == $t_configured_login_method) {
        return ldap_authenticate($p_user_id, $p_test_password);
    }
    $t_password = user_get_field($p_user_id, 'password');
    $t_login_methods = array(MD5, CRYPT, PLAIN);
    foreach ($t_login_methods as $t_login_method) {
        # pass the stored password in as the salt
        if (auth_process_plain_password($p_test_password, $t_password, $t_login_method) == $t_password) {
            # Check for migration to another login method and test whether the password was encrypted
            # with our previously insecure implemention of the CRYPT method
            if ($t_login_method != $t_configured_login_method || CRYPT == $t_configured_login_method && substr($t_password, 0, 2) == substr($p_test_password, 0, 2)) {
                user_set_password($p_user_id, $p_test_password, true);
            }
            return true;
        }
    }
    return false;
}