Author: coudot
Date: 2010-06-08 15:03:36 +0200 (Tue, 08 Jun 2010)
New Revision: 80
Added:
self-service-password/trunk/pages/resetbytoken.php
self-service-password/trunk/pages/sendtoken.php
Modified:
self-service-password/trunk/config.inc.php
self-service-password/trunk/functions.inc.php
self-service-password/trunk/lang/de.inc.php
self-service-password/trunk/lang/en.inc.php
self-service-password/trunk/lang/es.inc.php
self-service-password/trunk/lang/fr.inc.php
self-service-password/trunk/pages/resetbyquestions.php
Log:
#176: use a token to reset password
Modified: self-service-password/trunk/config.inc.php
===================================================================
--- self-service-password/trunk/config.inc.php 2010-05-12 13:50:52 UTC (rev 79)
+++ self-service-password/trunk/config.inc.php 2010-06-08 13:03:36 UTC (rev 80)
@@ -82,6 +82,9 @@
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
+# Token
+$mail_attribute = "mail";
+
# Display help messages
$show_help = true;
Modified: self-service-password/trunk/functions.inc.php
===================================================================
--- self-service-password/trunk/functions.inc.php 2010-05-12 13:50:52 UTC
(rev 79)
+++ self-service-password/trunk/functions.inc.php 2010-06-08 13:03:36 UTC
(rev 80)
@@ -86,11 +86,11 @@
# Get message criticity
function get_criticity( $msg ) {
- if ( ereg(
"nophpldap|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|answermoderror|answernomatch|mailnomatch|tokennotsent"
, $msg ) ) {
+ if ( ereg(
"nophpldap|nophpmhash|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid"
, $msg ) ) {
return "critical";
}
- if ( ereg(
"(login|oldpassword|newpassword|confirmpassword|answer|question|password|mail)required"
, $msg ) ) {
+ if ( ereg(
"(login|oldpassword|newpassword|confirmpassword|answer|question|password|mail|token)required"
, $msg ) ) {
return "warning";
}
Modified: self-service-password/trunk/lang/de.inc.php
===================================================================
--- self-service-password/trunk/lang/de.inc.php 2010-05-12 13:50:52 UTC (rev 79)
+++ self-service-password/trunk/lang/de.inc.php 2010-06-08 13:03:36 UTC (rev 80)
@@ -70,7 +70,18 @@
$messages['resetbyquestionshelp'] = "Wählen Sie eine Frage
Sicherheitsfrage aus und beantworten diese anschßend.
Hierzu müssen Sie vorher eine <a href=\"?action=setquestions\">Antwort
festgelegt</a> haben.";
$messages['changehelp'] = "Um ein neues Passwort festzulegen müssen Sie
zuerst Ihr Altes eingeben.
-Falls Sie Ihr altes Passwort vergessen haben k�nnen Sie Ihr Passwort<a
href=\"?action=resetbyquestions\">zurücksetzen durch Beantwortung
-einer Sicherheitsfrage</a>.";
+Falls Sie Ihr altes Passwort vergessen haben k�nnen Sie Ihr Passwort<a
href=\"?action=resetbyquestions\">zurücksetzen durch Beantwortun einer
Sicherheitsfrage</a>.";
+$messages['resetmessage'] = "Hello {login},\n\nClick here to reset your
password:\n{url}\n\nIf your are not the issuer of this request, please ignore
it.";
+$messages['resetsubject'] = "Reset your password";
+$messages['sendtokenhelp'] = "Enter your login and your password to reset your
password. Then click on the link in sent mail.";
+$messages['mail'] = "Mail";
+$messages['mailrequired'] = "Your mail is required";
+$messages['mailnomatch'] = "The mail does not match the submitted login";
+$messages['tokensent'] = "A confirmation mail has been sent";
+$messages['tokennotsent'] = "Error when sending confirmation mail";
+$messages['tokenrequired'] = "Token is required";
+$messages['tokennotvalid'] = "Token is not valid";
+$messages['resetbytokenhelp'] = "The token sent by mail allows you to reset
your password. To get a new token, <a href=\"?action=sendtoken\">click
here</a>.";
+
?>
Modified: self-service-password/trunk/lang/en.inc.php
===================================================================
--- self-service-password/trunk/lang/en.inc.php 2010-05-12 13:50:52 UTC (rev 79)
+++ self-service-password/trunk/lang/en.inc.php 2010-06-08 13:03:36 UTC (rev 80)
@@ -68,5 +68,17 @@
$messages['answernomatch'] = "Your answer is not correct";
$messages['resetbyquestionshelp'] = "Choose a question and answer it to reset
your password. This requires to have already <a
href=\"?action=setquestions\">register an answer</a>.";
$messages['changehelp'] = "Enter your old password and choose a new one. If
you forgot your old password, you can try to <a
href=\"?action=resetbyquestions\">reset your password by answering
questions</a>.";
+$messages['resetmessage'] = "Hello {login},\n\nClick here to reset your
password:\n{url}\n\nIf your are not the issuer of this request, please ignore
it.";
+$messages['resetsubject'] = "Reset your password";
+$messages['sendtokenhelp'] = "Enter your login and your password to reset your
password. Then click on the link in sent mail.";
+$messages['mail'] = "Mail";
+$messages['mailrequired'] = "Your mail is required";
+$messages['mailnomatch'] = "The mail does not match the submitted login";
+$messages['tokensent'] = "A confirmation mail has been sent";
+$messages['tokennotsent'] = "Error when sending confirmation mail";
+$messages['tokenrequired'] = "Token is required";
+$messages['tokennotvalid'] = "Token is not valid";
+$messages['resetbytokenhelp'] = "The token sent by mail allows you to reset
your password. To get a new token, <a href=\"?action=sendtoken\">click
here</a>.";
+
?>
Modified: self-service-password/trunk/lang/es.inc.php
===================================================================
--- self-service-password/trunk/lang/es.inc.php 2010-05-12 13:50:52 UTC (rev 79)
+++ self-service-password/trunk/lang/es.inc.php 2010-06-08 13:03:36 UTC (rev 80)
@@ -68,5 +68,17 @@
$messages['answernomatch'] = "Su respuesta no es correcta";
$messages['resetbyquestionshelp'] = "Elija una pregunta y respondala para
resetear su contraseña. Esto requiere <a href=\"?action=setquestions\">haber
registrado una respuesta</a>.";
$messages['changehelp'] = "Ingrese su contraseña anterior y elija una nueva.
Si usted olvidó su contraseña anterior, puede <a
href=\"?action=resetbyquestions\">resetear su contraseña respondiendo
preguntas</a>.";
+$messages['resetmessage'] = "Hello {login},\n\nClick here to reset your
password:\n{url}\n\nIf your are not the issuer of this request, please ignore
it.";
+$messages['resetsubject'] = "Reset your password";
+$messages['sendtokenhelp'] = "Enter your login and your password to reset your
password. Then click on the link in sent mail.";
+$messages['mail'] = "Mail";
+$messages['mailrequired'] = "Your mail is required";
+$messages['mailnomatch'] = "The mail does not match the submitted login";
+$messages['tokensent'] = "A confirmation mail has been sent";
+$messages['tokennotsent'] = "Error when sending confirmation mail";
+$messages['tokenrequired'] = "Token is required";
+$messages['tokennotvalid'] = "Token is not valid";
+$messages['resetbytokenhelp'] = "The token sent by mail allows you to reset
your password. To get a new token, <a href=\"?action=sendtoken\">click
here</a>.";
+
?>
Modified: self-service-password/trunk/lang/fr.inc.php
===================================================================
--- self-service-password/trunk/lang/fr.inc.php 2010-05-12 13:50:52 UTC (rev 79)
+++ self-service-password/trunk/lang/fr.inc.php 2010-06-08 13:03:36 UTC (rev 80)
@@ -68,5 +68,16 @@
$messages['answernomatch'] = "Votre réponse est incorrecte";
$messages['resetbyquestionshelp'] = "Choisissez une question et répondez-y
pour réinitialiser pour votre mot de passe. Vous devez avoir au préalable <a
href=\"?action=setquestions\">enregistré une réponse</a>.";
$messages['changehelp'] = "Entrez votre ancien mot de passe et choisissez-en
un nouveau. Si vous avez oublié votre ancien mot de passen vous pouvez essayer
de le <a href=\"?action=resetbyquestions\">réinitialiser en répondant aux
questions</a>.";
+$messages['resetmessage'] = "Bonjour {login},\n\nCliquez ici pour
réinitialiser votre mot de passe :\n{url}\n\nSi vous n'êtes pas à l'origine de
cette demande, merci de l'ignorer.";
+$messages['resetsubject'] = "Réinitialisation de votre mot de passe";
+$messages['sendtokenhelp'] = "Entrez votre identifiant et votre adresse mail
pour réinitialiser votre mot de passe. Cliquez ensuite sur le lien transmis par
mail.";
+$messages['mail'] = "Adresse mail";
+$messages['mailrequired'] = "Vous devez indiquer votre adresse mail";
+$messages['mailnomatch'] = "L'adresse mail ne correspond pas à l'identifiant
donné";
+$messages['tokensent'] = "Un mail de confirmation a été envoyé";
+$messages['tokennotsent'] = "Erreur lors de l'envoi du mail de confirmation";
+$messages['tokenrequired'] = "Le jeton de réinitialisation est requis";
+$messages['tokennotvalid'] = "Le jeton n'est pas valide";
+$messages['resetbytokenhelp'] = "Le jeton envoyé par mail vous permet de
réinitialiser votre mot de passe. Pour recevoir un nouveau jeton, <a
href=\"?action=sendtoken\">cliquez ici</a>.";
?>
Modified: self-service-password/trunk/pages/resetbyquestions.php
===================================================================
--- self-service-password/trunk/pages/resetbyquestions.php 2010-05-12
13:50:52 UTC (rev 79)
+++ self-service-password/trunk/pages/resetbyquestions.php 2010-06-08
13:03:36 UTC (rev 80)
@@ -19,7 +19,7 @@
#
#==============================================================================
-# This page is called to reset a password trsuting question/anwser
+# This page is called to reset a password trusting question/anwser
#==============================================================================
# POST parameters
@@ -115,7 +115,7 @@
}}}}
#==============================================================================
-# Check and regsiter new passord
+# Check and register new passord
#==============================================================================
# Match new and confirm password
if ( $result === "" ) {
Added: self-service-password/trunk/pages/resetbytoken.php
===================================================================
--- self-service-password/trunk/pages/resetbytoken.php
(rev 0)
+++ self-service-password/trunk/pages/resetbytoken.php 2010-06-08 13:03:36 UTC
(rev 80)
@@ -0,0 +1,178 @@
+<?php
+#==============================================================================
+# LTB Self Service Password
+#
+# Copyright (C) 2009 Clement OUDOT
+# Copyright (C) 2009 LTB-project.org
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# GPL License: http://www.gnu.org/licenses/gpl.txt
+#
+#==============================================================================
+
+# This page is called to reset a password when a valid token is found in URL
+
+#==============================================================================
+# POST parameters
+#==============================================================================
+# Initiate vars
+$result = "";
+$login = "";
+$token = "";
+$newpassword = "";
+$confirmpassword = "";
+$ldap = "";
+$userdn = "";
+if (!isset($pwd_forbidden_chars)) { $pwd_forbidden_chars=""; }
+
+if (isset($_REQUEST["token"]) and $_REQUEST["token"]) { $token =
$_REQUEST["token"]; }
+ else { $result = "tokenrequired"; }
+
+#==============================================================================
+# Get token
+#==============================================================================
+if ( $result === "" ) {
+
+ # Open session with URL SID
+ # Warning, set session.use_only_cookies = 0 in php.ini
+ session_name("token");
+ session_start();
+ $login = $_SESSION['login'];
+
+ if ( !$login ) {
+ $result = "tokennotvalid";
+ error_log("Unable to open session with ".SID);
+ }
+}
+
+#==============================================================================
+# Get passwords
+#==============================================================================
+if ( $result === "" ) {
+
+ if (isset($_POST["confirmpassword"]) and $_POST["confirmpassword"]) {
$confirmpassword = $_POST["confirmpassword"]; }
+ else { $result = "confirmpasswordrequired"; }
+ if (isset($_POST["newpassword"]) and $_POST["newpassword"]) { $newpassword
= $_POST["newpassword"]; }
+ else { $result = "newpasswordrequired"; }
+
+ # Strip slashes added by PHP
+ $newpassword = stripslashes_if_gpc_magic_quotes($newpassword);
+ $confirmpassword = stripslashes_if_gpc_magic_quotes($confirmpassword);
+}
+
+#==============================================================================
+# Find user
+#==============================================================================
+if ( $result === "" ) {
+
+ # Connect to LDAP
+ $ldap = ldap_connect($ldap_url);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+
+ # Bind
+ if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
+ $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
+ } else {
+ $bind = ldap_bind($ldap);
+ }
+
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
+ $result = "ldaperror";
+ error_log("LDAP - Bind error $errno (".ldap_error($ldap).")");
+ } else {
+
+ # Search for user
+ $ldap_filter = str_replace("{login}", $login, $ldap_filter);
+ $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
+ $result = "ldaperror";
+ error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
+ } else {
+
+ # Get user DN
+ $entry = ldap_first_entry($ldap, $search);
+ $userdn = ldap_get_dn($ldap, $entry);
+
+ if( !$userdn ) {
+ $result = "badcredentials";
+ error_log("LDAP - User $login not found");
+ }
+
+}}}
+
+#==============================================================================
+# Check and register new passord
+#==============================================================================
+# Match new and confirm password
+if ( $result === "" ) {
+ if ( $newpassword != $confirmpassword ) { $result="nomatch"; }
+}
+
+# Check password strength
+if ( $result === "" ) {
+ $result = check_password_strength( $newpassword, $pwd_special_chars,
$pwd_forbidden_chars, $pwd_min_length, $pwd_max_length, $pwd_min_lower,
$pwd_min_upper, $pwd_min_digit, $pwd_min_special );
+}
+
+# Change password
+if ($result === "") {
+ $result = change_password($ldap, $userdn, $newpassword, $ad_mode,
$samba_mode, $hash);
+}
+
+#==============================================================================
+# HTML
+#==============================================================================
+?>
+
+<div class="result <?php echo get_criticity($result) ?>">
+<h2 class="<?php echo get_criticity($result) ?>"><?php echo
$messages[$result]; ?></h2>
+</div>
+
+<?php if ( $result !== "passwordchanged" ) { ?>
+
+<?php
+if ( $show_help ) {
+ echo "<div class=\"help\"><p>";
+ echo $messages["resetbytokenhelp"];
+ echo "</p></div>\n";
+}
+?>
+
+<?php
+if ( $pwd_show_policy ) {
+ show_policy($messages,
+ $pwd_min_length, $pwd_max_length,
+ $pwd_min_lower, $pwd_min_upper,
+ $pwd_min_digit, $pwd_min_special,
+ $pwd_forbidden_chars
+ );
+}
+?>
+
+<form action="#" method="post">
+ <input type="hidden" name="token" value="<?php echo htmlentities($token)
?>" />
+ <table>
+ <tr><th><?php echo $messages["login"]; ?></th>
+ <td><p><?php echo htmlentities($login) ?></p></td></tr>
+ <tr><th><?php echo $messages["newpassword"]; ?></th>
+ <td><input type="password" name="newpassword" /></td></tr>
+ <tr><th><?php echo $messages["confirmpassword"]; ?></th>
+ <td><input type="password" name="confirmpassword" /></td></tr>
+ <tr><td colspan="2">
+ <input type="submit" value="<?php echo $messages['submit']; ?>"
/></td></tr>
+ </table>
+</form>
+
+<?php } ?>
Added: self-service-password/trunk/pages/sendtoken.php
===================================================================
--- self-service-password/trunk/pages/sendtoken.php
(rev 0)
+++ self-service-password/trunk/pages/sendtoken.php 2010-06-08 13:03:36 UTC
(rev 80)
@@ -0,0 +1,175 @@
+<?php
+#==============================================================================
+# LTB Self Service Password
+#
+# Copyright (C) 2009 Clement OUDOT
+# Copyright (C) 2009 LTB-project.org
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# GPL License: http://www.gnu.org/licenses/gpl.txt
+#
+#==============================================================================
+
+# This page is called to send a reset token by mail
+
+#==============================================================================
+# POST parameters
+#==============================================================================
+# Initiate vars
+$result = "";
+$login = "";
+$mail = "";
+$ldap = "";
+$userdn = "";
+
+if (isset($_POST["mail"]) and $_POST["mail"]) { $mail = $_POST["mail"]; }
+ else { $result = "mailrequired"; }
+if (isset($_REQUEST["login"]) and $_REQUEST["login"]) { $login =
$_REQUEST["login"]; }
+ else { $result = "loginrequired"; }
+
+# Strip slashes added by PHP
+$login = stripslashes_if_gpc_magic_quotes($login);
+$mail = stripslashes_if_gpc_magic_quotes($mail);
+
+#==============================================================================
+# Check mail
+#==============================================================================
+if ( $result === "" ) {
+
+ # Connect to LDAP
+ $ldap = ldap_connect($ldap_url);
+ ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
+
+ # Bind
+ if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
+ $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
+ } else {
+ $bind = ldap_bind($ldap);
+ }
+
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
+ $result = "ldaperror";
+ error_log("LDAP - Bind error $errno (".ldap_error($ldap).")");
+ } else {
+
+ # Search for user
+ $ldap_filter = str_replace("{login}", $login, $ldap_filter);
+ $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
+ $result = "ldaperror";
+ error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
+ } else {
+
+ # Get user DN
+ $entry = ldap_first_entry($ldap, $search);
+ $userdn = ldap_get_dn($ldap, $entry);
+
+ if( !$userdn ) {
+ $result = "badcredentials";
+ error_log("LDAP - User $login not found");
+ } else {
+
+ # Compare mail values
+ $mailValues = ldap_get_values($ldap, $entry, $mail_attribute);
+ unset($mailValues["count"]);
+ $match = 0;
+
+ # Match with user submitted values
+ foreach ($mailValues as $mailValue) {
+ if (preg_match("/^$mail$/i", $mailValue)) {
+ $match = 1;
+ }
+ }
+
+ if (!$match) {
+ $result = "mailnomatch";
+ error_log("Mail $mail does not match for user $login");
+ }
+
+}}}}
+
+#==============================================================================
+# Build and store token
+#==============================================================================
+if ( $result === "" ) {
+
+ # Use PHP session to register token
+ # We do not generate cookie, we just use SID to generate URL
+ session_name("token");
+ session_start();
+ $_SESSION['login'] = $login;
+
+}
+
+#==============================================================================
+# Send token by mail
+#==============================================================================
+if ( $result === "" ) {
+
+ # Build reset by token URL
+ $method = "http";
+ if ( $_SERVER['HTTPS'] ) { $method .= "s"; }
+ $server_name = $_SERVER['SERVER_NAME'];
+ $script_name = $_SERVER['SCRIPT_NAME'];
+
+ $reset_url =
$method."://".$server_name.$script_name."?action=resetbytoken&".SID;
+error_log($reset_url);
+ # Replace some values in reset message
+ $reset_message = $messages["resetmessage"];
+ $reset_message = str_replace("{login}", $login, $reset_message);
+ $reset_message = str_replace("{mail}", $mail, $reset_message);
+ $reset_message = str_replace("{url}", $reset_url, $reset_message);
+
+ # Send message
+ if ( mail($mail, $messages["resetsubject"], $reset_message) ) {
+ $result = "tokensent";
+ } else {
+ $result = "tokennotsent";
+ error_log("Error while sending token to $mail (user $login)");
+ }
+}
+
+#==============================================================================
+# HTML
+#==============================================================================
+?>
+
+<div class="result <?php echo get_criticity($result) ?>">
+<h2 class="<?php echo get_criticity($result) ?>"><?php echo
$messages[$result]; ?></h2>
+</div>
+
+<?php if ( $result !== "tokensent" ) { ?>
+
+<?php
+if ( $show_help ) {
+ echo "<div class=\"help\"><p>";
+ echo $messages["sendtokenhelp"];
+ echo "</p></div>\n";
+}
+?>
+
+<form action="#" method="post">
+ <table>
+ <tr><th><?php echo $messages["login"]; ?></th>
+ <td><input type="text" name="login" value="<?php echo htmlentities($login)
?>" /></td></tr>
+ <tr><th><?php echo $messages["mail"]; ?></th>
+ <td><input type="text" name="mail" /></td></tr>
+ <tr><td colspan="2">
+ <input type="submit" value="<?php echo $messages['submit']; ?>"
/></td></tr>
+ </table>
+</form>
+
+<?php } ?>
_______________________________________________
ltb-changes mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-changes
