[Mrbs-commits] SF.net SVN: mrbs:[1276] mrbs/trunk/web

Tue, 08 Dec 2009 06:10:32 -0800 

Revision: 1276
          http://mrbs.svn.sourceforge.net/mrbs/?rev=1276&view=rev
Author:   cimorrison
Date:     2009-12-08 14:10:13 +0000 (Tue, 08 Dec 2009)

Log Message:
-----------
Added the ability to set a password strength policy when using the 'db' 
authentication scheme.   The policy can be defined in terms of minimum length 
and minimum numbers of alpha, lower-case, upper-case, numeric and special (ie 
non alpha-numeric) characters.  The validation is only server side at the 
moment.   Client side validation is not included yet as JavaScript's native 
support for Unicode pattern matching is very limited.

Modified Paths:
--------------
    mrbs/trunk/web/edit_users.php
    mrbs/trunk/web/lang.en
    mrbs/trunk/web/systemdefaults.inc.php

Modified: mrbs/trunk/web/edit_users.php
===================================================================
--- mrbs/trunk/web/edit_users.php       2009-11-27 00:27:00 UTC (rev 1275)
+++ mrbs/trunk/web/edit_users.php       2009-12-08 14:10:13 UTC (rev 1276)
@@ -54,7 +54,60 @@
 $name_not_unique = get_form_var('name_not_unique', 'int');
 $taken_name = get_form_var('taken_name', 'string');
 $pwd_not_match = get_form_var('pwd_not_match', 'string');
+$pwd_invalid = get_form_var('pwd_invalid', 'string');
 
+// Validates that the password conforms to the password policy
+// (Ideally this function should also be matched by client-side
+// validation, but unfortunately JavaScript's native support for Unicode
+// pattern matching is very limited.   Would need to be implemented using
+// an add-in library).
+function validate_password($password)
+{
+  global $pwd_policy, $unicode_encoding;
+          
+  if (isset($pwd_policy))
+  {
+    // Set up regular expressions.  Use p{Ll} instead of [a-z] etc.
+    // to make sure accented characters are included
+    $pattern = array('alpha'   => '/\p{L}/',
+                     'lower'   => '/\p{Ll}/',
+                     'upper'   => '/\p{Lu}/',
+                     'numeric' => '/\p{N}/',
+                     'special' => '/[^\p{L}|\p{N}]/');
+    // Check for conformance to each rule                 
+    foreach($pwd_policy as $rule => $value)
+    {
+      switch($rule)
+      {
+        case 'length':
+          // assumes that the site has enabled multi-byte string function
+          // overloading if necessary in php.ini
+          if (strlen($password) < $pwd_policy[$rule])
+          {
+            return FALSE;
+          }
+          break;
+        default:
+          if ($unicode_encoding)
+          {
+            // turn on Unicode matching
+            $pattern[$rule] .= 'u';
+          }
+          $n = preg_match_all($pattern[$rule], $password, $matches);
+          if (($n === FALSE) || ($n < $pwd_policy[$rule]))
+          {
+            return FALSE;
+          }
+          break;
+      }
+    }
+  }
+  
+  // Everything is OK
+  return TRUE;
+}
+
+
 $fields = array();
 $field_props = array();
 
@@ -316,6 +369,19 @@
           {
             echo "<p class=\"error\">" . get_vocab("passwords_not_eq") . 
"</p>\n";
           }
+          if (!empty($pwd_invalid))
+          {
+            echo "<p class=\"error\">" . get_vocab("password_invalid") . 
"</p>\n";
+            if (isset($pwd_policy))
+            {
+              echo "<ul class=\"error\">\n";
+              foreach ($pwd_policy as $rule => $value)
+              {
+                echo "<li>$value " . get_vocab("policy_" . $rule) . "</li>\n";
+              }
+              echo "</ul>\n";
+            }
+          }
           
           if ($editing_last_admin)
           {
@@ -471,6 +537,12 @@
             $valid_data = FALSE;
             $q_string .= "&pwd_not_match=1";
           }
+          // check that the password conforms to the password policy
+          if (!validate_password($password0))
+          {
+            $valid_data = FALSE;
+            $q_string .= "&pwd_invalid=1";
+          }
           break;
         case 'email':
           // check that the email address is valid
@@ -575,7 +647,6 @@
     /* DEBUG lines - check the actual sql statement going into the db */
     //echo "Final SQL string: <code>$operation</code>";
     //exit;
-  
     $r = sql_command($operation);
     if ($r == -1)
     {

Modified: mrbs/trunk/web/lang.en
===================================================================
--- mrbs/trunk/web/lang.en      2009-11-27 00:27:00 UTC (rev 1275)
+++ mrbs/trunk/web/lang.en      2009-12-08 14:10:13 UTC (rev 1276)
@@ -157,6 +157,13 @@
 $vocab["user_email"]         = "Email address";
 $vocab["password_twice"]     = "If you wish to change the password, please 
type the new password twice";
 $vocab["passwords_not_eq"]   = "The passwords did not match!";
+$vocab["password_invalid"]   = "The password does not conform to the policy.  
It must contain at least:";
+$vocab["policy_length"]      = "character(s)";
+$vocab["policy_alpha"]       = "letter(s)";
+$vocab["policy_lower"]       = "lower-case letter(s)";
+$vocab["policy_upper"]       = "upper-case letter(s)";
+$vocab["policy_numeric"]     = "numeric character(s)";
+$vocab["policy_special"]     = "special character(s)";
 $vocab["add_new_user"]       = "Add a new user";
 $vocab["action"]             = "Action";
 $vocab["user"]               = "User";

Modified: mrbs/trunk/web/systemdefaults.inc.php
===================================================================
--- mrbs/trunk/web/systemdefaults.inc.php       2009-11-27 00:27:00 UTC (rev 
1275)
+++ mrbs/trunk/web/systemdefaults.inc.php       2009-12-08 14:10:13 UTC (rev 
1276)
@@ -448,10 +448,16 @@
 // The lowest level of admin allowed to edit other users
 $min_user_editing_level = 2;
 
-// If you want only administrators to be able to book slots, set this
-// variable to TRUE
-$auth['only_admin_can_book'] = FALSE;
+// Password policy.  Uncomment the variables and set them to the
+// required values as appropriate.
+// $pwd_policy['length']  = 6;  // Minimum length
+// $pwd_policy['alpha']   = 1;  // Minimum number of alpha characters
+// $pwd_policy['lower']   = 1;  // Minimum number of lower case characters
+// $pwd_policy['upper']   = 1;  // Minimum number of upper case characters
+// $pwd_policy['numeric'] = 1;  // Minimum number of numeric characters
+// $pwd_policy['special'] = 1;  // Minimum number of special characters (not 
alpha-numeric)
 
+
 // 'auth_db_ext' configuration settings
 // The 'db_system' variable is equivalent to the core MRBS $dbsys variable,
 // and allows you to use any of MRBS's database abstraction layers for
@@ -528,6 +534,10 @@
 // 'auth_smtp' configuration settings
 $auth['smtp']['server'] = 'myserver.example.org';
 
+// General settings
+// If you want only administrators to be able to book slots, set this
+// variable to TRUE
+$auth['only_admin_can_book'] = FALSE;
 
 /**********************************************
  * Email settings


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to