Menu
▾
▴
[Gemstracker-svn] SF.net SVN: gemstracker:[597] trunk/library
|
From: <gem...@li...> - 2012-04-05 12:12:51
|
Revision: 597
http://gemstracker.svn.sourceforge.net/gemstracker/?rev=597&view=rev
Author: matijsdejong
Date: 2012-04-05 12:12:41 +0000 (Thu, 05 Apr 2012)
Log Message:
-----------
Fixed security leak that allowed login without a password
Added reset key duration to mail template fields for reset
Modified Paths:
--------------
trunk/library/classes/Gems/Default/IndexAction.php
trunk/library/classes/Gems/User/DbUserDefinitionAbstract.php
trunk/library/classes/Gems/User/RadiusUserDefinition.php
trunk/library/classes/Gems/User/User.php
trunk/library/classes/Gems/User/UserDefinitionAbstract.php
trunk/library/classes/Gems/User/UserDefinitionInterface.php
trunk/library/languages/default-en.mo
trunk/library/languages/default-en.po
trunk/library/languages/default-nl.mo
trunk/library/languages/default-nl.po
Modified: trunk/library/classes/Gems/Default/IndexAction.php
===================================================================
--- trunk/library/classes/Gems/Default/IndexAction.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/Default/IndexAction.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -134,7 +134,7 @@
*/
protected function displayLoginForm(Gems_User_Form_LoginForm $form)
{
- $form->getUser()->setAsCurrentUser();
+ $this->setCurrentOrganizationTo($form->getUser());
$this->view->form = $form;
}
@@ -148,7 +148,7 @@
protected function displayResetForm(Gems_Form_AutoLoadFormAbstract $form, $errors, Gems_User_User $user = null)
{
if ($form instanceof Gems_User_Form_ResetRequestForm) {
- $form->getUser()->setAsCurrentUser();
+ $user = $form->getUser();
$this->html->h3($this->_('Request password reset'));
@@ -158,9 +158,10 @@
} else {
$p->append($this->_('Please enter your username or e-mail address. '));
}
- $p->append($this->_('We will then send you an e-mail with a link you can use to reset your password.'));
+ $this->html->p($this->_('We will then send you an e-mail with a link. The link will bring you to a page where you can set a new password of your choice.'));
} elseif ($form instanceof Gems_User_Form_ChangePasswordForm) {
+ $form->getUser()->getCurrentOrganization()->setAsCurrentOrganization();
if ($user->hasPassword()) {
$this->html->h3($this->_('Execute password reset'));
$p = $this->html->pInfo($this->_('We received your password reset request.'));
@@ -177,6 +178,10 @@
$this->addMessage($errors);
}
+ if ($user) {
+ $this->setCurrentOrganizationTo($user);
+ }
+
$this->html->append($form);
}
@@ -333,8 +338,31 @@
public function sendUserResetEMail(Gems_User_User $user)
{
$subjectTemplate = $this->_('Password reset requested');
+ /* CANNOT BE TESTED TODAY
+ $bbBodyTemplate = $this->_("Dear {greeting},
+
+A new password was requested for your [b]{organization}[/b] site [b]{project}[/b], please click within {reset_in_hours} hours on [url={reset_url}]this link[/url] to enter the password of your choice.
+
+{organization_signature}
+
+[url={reset_url}]{reset_url}[/url]
+"); // */
$bbBodyTemplate = $this->_("To set a new password for the [b]{organization}[/b] site [b]{project}[/b], please click on this link:\n{reset_url}");
return $user->sendMail($subjectTemplate, $bbBodyTemplate, true);
}
+
+ /**
+ * Helper function to safely switch org during login
+ *
+ * @param Gems_User_User $user
+ */
+ protected function setCurrentOrganizationTo(Gems_User_User $user)
+ {
+ $current = $this->loader->getCurrentUser();
+
+ if ($current !== $user) {
+ $current->setCurrentOrganization($user->getCurrentOrganization());
+ }
+ }
}
Modified: trunk/library/classes/Gems/User/DbUserDefinitionAbstract.php
===================================================================
--- trunk/library/classes/Gems/User/DbUserDefinitionAbstract.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/User/DbUserDefinitionAbstract.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -53,7 +53,7 @@
protected $db;
/**
- * The time period in hours a reset key is valid for this user.
+ * The time period in hours a reset key is valid for this definition.
*
* @var int
*/
Modified: trunk/library/classes/Gems/User/RadiusUserDefinition.php
===================================================================
--- trunk/library/classes/Gems/User/RadiusUserDefinition.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/User/RadiusUserDefinition.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -47,7 +47,7 @@
* @license New BSD License
* @since Class available since version 1.5
*/
-class Gems_User_RadiusUserDefinition extends Gems_User_StaffUserDefinition implements Gems_User_UserDefinitionInterface, Gems_User_UserDefinitionConfigurableInterface
+class Gems_User_RadiusUserDefinition extends Gems_User_StaffUserDefinition implements Gems_User_UserDefinitionConfigurableInterface
{
/**
* @var Gems_Model_JoinModel
Modified: trunk/library/classes/Gems/User/User.php
===================================================================
--- trunk/library/classes/Gems/User/User.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/User/User.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -763,21 +763,22 @@
$orgResults = $org->getMailFields();
$projResults = $this->project->getMailFields();
- $result['bcc'] = $projResults['project_bcc'];
- $result['email'] = $this->getEmailAddress();
- $result['first_name'] = $this->_getVar('user_first_name');
- $result['from'] = $this->getFrom();
- $result['full_name'] = trim($this->getGenderHello($locale) . ' ' . $this->getFullName());
- $result['greeting'] = $this->getGreeting($locale);
- $result['last_name'] = ltrim($this->_getVar('user_surname_prefix') . ' ') . $this->_getVar('user_last_name');
- $result['login_url'] = $orgResults['organization_login_url'];
- $result['name'] = $this->getFullName();
+ $result['bcc'] = $projResults['project_bcc'];
+ $result['email'] = $this->getEmailAddress();
+ $result['first_name'] = $this->_getVar('user_first_name');
+ $result['from'] = $this->getFrom();
+ $result['full_name'] = trim($this->getGenderHello($locale) . ' ' . $this->getFullName());
+ $result['greeting'] = $this->getGreeting($locale);
+ $result['last_name'] = ltrim($this->_getVar('user_surname_prefix') . ' ') . $this->_getVar('user_last_name');
+ $result['login_url'] = $orgResults['organization_login_url'];
+ $result['name'] = $this->getFullName();
$result = $result + $orgResults + $projResults;
- $result['reset_ask'] = $orgResults['organization_login_url'] . '/index/resetpassword';
- $result['reply_to'] = $result['from'];
- $result['to'] = $result['email'];
+ $result['reset_ask'] = $orgResults['organization_login_url'] . '/index/resetpassword';
+ $result['reset_in_hours'] = $this->definition->getResetKeyDurationInHours();
+ $result['reply_to'] = $result['from'];
+ $result['to'] = $result['email'];
return $result;
}
@@ -813,8 +814,8 @@
*/
public function getResetPasswordMailFields($locale = null)
{
- $result['reset_key'] = $this->getPasswordResetKey();
- $result['reset_url'] = $this->getBaseOrganization()->getLoginUrl() . '/index/resetpassword/key/' . $result['reset_key'];
+ $result['reset_key'] = $this->getPasswordResetKey();
+ $result['reset_url'] = $this->getBaseOrganization()->getLoginUrl() . '/index/resetpassword/key/' . $result['reset_key'];
return $result + $this->getMailFields($locale);
}
@@ -1089,7 +1090,7 @@
} catch (Exception $e) {
return array(
- $this->_('Unable to send e-mail.'),
+ $this->translate->_('Unable to send e-mail.'),
$e->getMessage());
}
}
Modified: trunk/library/classes/Gems/User/UserDefinitionAbstract.php
===================================================================
--- trunk/library/classes/Gems/User/UserDefinitionAbstract.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/User/UserDefinitionAbstract.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -49,6 +49,13 @@
abstract class Gems_User_UserDefinitionAbstract extends MUtil_Registry_TargetAbstract implements Gems_User_UserDefinitionInterface
{
/**
+ * The time period in hours a reset key is valid for this definition.
+ *
+ * @var int
+ */
+ protected $hoursResetKeyIsValid = 0;
+
+ /**
* Return true if a password reset key can be created.
*
* Returns the setting for the definition whan no user is passed, otherwise
@@ -100,6 +107,16 @@
}
/**
+ * Returns the number of hours a reset key remains valud
+ *
+ * @return int
+ */
+ public function getResetKeyDurationInHours()
+ {
+ return $this->hoursResetKeyIsValid;
+ }
+
+ /**
* Returns true when users using this definition are staff members.
*
* Used only when the definition does not return a user_staff field.
Modified: trunk/library/classes/Gems/User/UserDefinitionInterface.php
===================================================================
--- trunk/library/classes/Gems/User/UserDefinitionInterface.php 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/classes/Gems/User/UserDefinitionInterface.php 2012-04-05 12:12:41 UTC (rev 597)
@@ -94,6 +94,13 @@
public function getPasswordResetKey(Gems_User_User $user);
/**
+ * Returns the number of hours a reset key remains valud
+ *
+ * @return int
+ */
+ public function getResetKeyDurationInHours();
+
+ /**
* Returns a user object, that may be empty if the user is unknown.
*
* @param string $login_name
Modified: trunk/library/languages/default-en.mo
===================================================================
(Binary files differ)
Modified: trunk/library/languages/default-en.po
===================================================================
--- trunk/library/languages/default-en.po 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/languages/default-en.po 2012-04-05 12:12:41 UTC (rev 597)
@@ -1,8 +1,8 @@
msgid ""
msgstr ""
-"Project-Id-Version: Pulse EN\n"
+"Project-Id-Version: GemsTracker EN\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2012-04-03 18:47+0100\n"
+"POT-Creation-Date: 2012-04-05 14:09+0100\n"
"PO-Revision-Date: \n"
"Last-Translator: Matijs de Jong <mj...@ma...>\n"
"Language-Team: Erasmus MGZ <mat...@ma...>\n"
@@ -1097,65 +1097,65 @@
msgstr "Please enter your username or e-mail address. "
#: classes/Gems/Default/IndexAction.php:161
-msgid "We will then send you an e-mail with a link you can use to reset your password."
-msgstr "We will then send you an e-mail with a link you can use to reset your password."
+msgid "We will then send you an e-mail with a link. The link will bring you to a page where you can set a new password of your choice."
+msgstr "We will then send you an e-mail with a link. The link will bring you to a page where you can set a new password of your choice."
-#: classes/Gems/Default/IndexAction.php:165
+#: classes/Gems/Default/IndexAction.php:166
msgid "Execute password reset"
msgstr "Execute password reset"
-#: classes/Gems/Default/IndexAction.php:166
+#: classes/Gems/Default/IndexAction.php:167
msgid "We received your password reset request."
msgstr "We received your password reset request."
-#: classes/Gems/Default/IndexAction.php:169
+#: classes/Gems/Default/IndexAction.php:170
#, php-format
msgid "Welcome to %s"
msgstr "Welcome to %s"
-#: classes/Gems/Default/IndexAction.php:170
+#: classes/Gems/Default/IndexAction.php:171
msgid "Welcome to this website."
msgstr "Welcome to this website."
-#: classes/Gems/Default/IndexAction.php:173
+#: classes/Gems/Default/IndexAction.php:174
msgid "Please enter your password of choice twice."
msgstr "Please enter your password of choice twice."
-#: classes/Gems/Default/IndexAction.php:207
+#: classes/Gems/Default/IndexAction.php:212
msgid "Your password must be changed."
msgstr "Your password must be changed."
-#: classes/Gems/Default/IndexAction.php:219
+#: classes/Gems/Default/IndexAction.php:224
#, php-format
msgid "Login successful, welcome %s."
msgstr "Login successful, welcome %s."
-#: classes/Gems/Default/IndexAction.php:262
+#: classes/Gems/Default/IndexAction.php:267
#, php-format
msgid "Good bye: %s."
msgstr "Good bye: %s."
-#: classes/Gems/Default/IndexAction.php:286
+#: classes/Gems/Default/IndexAction.php:291
msgid "Your password reset request is no longer valid, please request a new link."
msgstr "Your password reset request is no longer valid, please request a new link."
-#: classes/Gems/Default/IndexAction.php:288
+#: classes/Gems/Default/IndexAction.php:293
msgid "Your password input request is no longer valid, please request a new link."
msgstr "Your password input request is no longer valid, please request a new link."
-#: classes/Gems/Default/IndexAction.php:307
+#: classes/Gems/Default/IndexAction.php:312
msgid "We sent you an e-mail with a reset link. Click on the link in the e-mail."
msgstr "We sent you an e-mail with a reset link. Click on the link in the e-mail."
-#: classes/Gems/Default/IndexAction.php:315
+#: classes/Gems/Default/IndexAction.php:320
msgid "New password is active."
msgstr "New password is active."
-#: classes/Gems/Default/IndexAction.php:335
+#: classes/Gems/Default/IndexAction.php:340
msgid "Password reset requested"
msgstr "Password reset requested"
-#: classes/Gems/Default/IndexAction.php:336
+#: classes/Gems/Default/IndexAction.php:350
msgid ""
"To set a new password for the [b]{organization}[/b] site [b]{project}[/b], please click on this link:\n"
"{reset_url}"
@@ -3633,11 +3633,11 @@
msgid "You are not allowed to login from this location."
msgstr "You are not allowed to login from this location."
-#: classes/Gems/User/User.php:1065
+#: classes/Gems/User/User.php:1066
msgid "Trying to send a password reset to a user that cannot be reset."
msgstr "Trying to send a password reset to a user that cannot be reset."
-#: classes/Gems/User/User.php:1092
+#: classes/Gems/User/User.php:1093
msgid "Unable to send e-mail."
msgstr "Unable to send e-mail."
@@ -3810,59 +3810,59 @@
msgid "Mr./Mrs."
msgstr "Mr./Mrs."
-#: classes/MUtil/Date.php:217
+#: classes/MUtil/Date.php:219
#, php-format
msgid "%s ago"
msgstr "%s ago"
-#: classes/MUtil/Date.php:220
+#: classes/MUtil/Date.php:222
#, php-format
msgid "%s to go"
msgstr "%s to go"
-#: classes/MUtil/Date.php:231
+#: classes/MUtil/Date.php:233
msgid "second"
msgid_plural "seconds"
msgstr[0] "second"
msgstr[1] "seconds"
-#: classes/MUtil/Date.php:234
+#: classes/MUtil/Date.php:236
msgid "minute"
msgid_plural "minutes"
msgstr[0] "minute"
msgstr[1] "minutes"
-#: classes/MUtil/Date.php:237
+#: classes/MUtil/Date.php:239
msgid "hour"
msgid_plural "hours"
msgstr[0] "hour"
msgstr[1] "hours"
-#: classes/MUtil/Date.php:240
+#: classes/MUtil/Date.php:242
msgid "day"
msgid_plural "days"
msgstr[0] "day"
msgstr[1] "days"
-#: classes/MUtil/Date.php:243
+#: classes/MUtil/Date.php:245
msgid "week"
msgid_plural "weeks"
msgstr[0] "week"
msgstr[1] "weeks"
-#: classes/MUtil/Date.php:246
+#: classes/MUtil/Date.php:248
msgid "month"
msgid_plural "months"
msgstr[0] "month"
msgstr[1] "months"
-#: classes/MUtil/Date.php:249
+#: classes/MUtil/Date.php:251
msgid "year"
msgid_plural "years"
msgstr[0] "year"
msgstr[1] "years"
-#: classes/MUtil/Date.php:252
+#: classes/MUtil/Date.php:254
msgid "decade"
msgid_plural "decades"
msgstr[0] "decade"
Modified: trunk/library/languages/default-nl.mo
===================================================================
(Binary files differ)
Modified: trunk/library/languages/default-nl.po
===================================================================
--- trunk/library/languages/default-nl.po 2012-04-04 18:33:08 UTC (rev 596)
+++ trunk/library/languages/default-nl.po 2012-04-05 12:12:41 UTC (rev 597)
@@ -1,8 +1,8 @@
msgid ""
msgstr ""
-"Project-Id-Version: Pulse NL\n"
+"Project-Id-Version: GemsTracker NL\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2012-04-03 17:15+0100\n"
+"POT-Creation-Date: 2012-04-05 14:09+0100\n"
"PO-Revision-Date: \n"
"Last-Translator: Matijs de Jong <mj...@ma...>\n"
"Language-Team: Erasmus MGZ <mat...@ma...>\n"
@@ -1097,65 +1097,65 @@
msgstr "Geef uw email adres of gebruikersnaam op. "
#: classes/Gems/Default/IndexAction.php:161
-msgid "We will then send you an e-mail with a link you can use to reset your password."
-msgstr "Daarna sturen wij een een email met een link waarmee u uw wachtwoord kan vervangen."
+msgid "We will then send you an e-mail with a link. The link will bring you to a page where you can set a new password of your choice."
+msgstr "Vervolgens sturen wij u een email met een link. De link verwijst naar een pagina waar u een zelfgekozen wachtwoord in kan voeren."
-#: classes/Gems/Default/IndexAction.php:165
+#: classes/Gems/Default/IndexAction.php:166
msgid "Execute password reset"
msgstr "Vervang vergeten passwood"
-#: classes/Gems/Default/IndexAction.php:166
+#: classes/Gems/Default/IndexAction.php:167
msgid "We received your password reset request."
msgstr "We hebben uw verzoek voor een nieuw wachtwoord ontvangen."
-#: classes/Gems/Default/IndexAction.php:169
+#: classes/Gems/Default/IndexAction.php:170
#, php-format
msgid "Welcome to %s"
msgstr "Welkom bij %s"
-#: classes/Gems/Default/IndexAction.php:170
+#: classes/Gems/Default/IndexAction.php:171
msgid "Welcome to this website."
msgstr "Welkom op deze website."
-#: classes/Gems/Default/IndexAction.php:173
+#: classes/Gems/Default/IndexAction.php:174
msgid "Please enter your password of choice twice."
msgstr "Geef twee keer een zelfgekozen wachtwoord op."
-#: classes/Gems/Default/IndexAction.php:207
+#: classes/Gems/Default/IndexAction.php:212
msgid "Your password must be changed."
msgstr "Uw wachtwoord moet veranderd worden."
-#: classes/Gems/Default/IndexAction.php:219
+#: classes/Gems/Default/IndexAction.php:224
#, php-format
msgid "Login successful, welcome %s."
msgstr "Login in orde, welkom %s."
-#: classes/Gems/Default/IndexAction.php:262
+#: classes/Gems/Default/IndexAction.php:267
#, php-format
msgid "Good bye: %s."
msgstr "Tot ziens: %s."
-#: classes/Gems/Default/IndexAction.php:286
+#: classes/Gems/Default/IndexAction.php:291
msgid "Your password reset request is no longer valid, please request a new link."
msgstr "Uw verzoek om een nieuw wachtwoord is niet meer geldig, maar u kan hieronder een nieuwe link aanvragen."
-#: classes/Gems/Default/IndexAction.php:288
+#: classes/Gems/Default/IndexAction.php:293
msgid "Your password input request is no longer valid, please request a new link."
msgstr "Uw link om een wachtwoord in te voeren is niet meer geldig, maar u kan hieronder een nieuwe link aanvragen."
-#: classes/Gems/Default/IndexAction.php:307
+#: classes/Gems/Default/IndexAction.php:312
msgid "We sent you an e-mail with a reset link. Click on the link in the e-mail."
msgstr "We hebben u een email met reset link gestuurd. Klik op de link in de email."
-#: classes/Gems/Default/IndexAction.php:315
+#: classes/Gems/Default/IndexAction.php:320
msgid "New password is active."
msgstr "Nieuwe wachtwoord geactiveerd."
-#: classes/Gems/Default/IndexAction.php:335
+#: classes/Gems/Default/IndexAction.php:340
msgid "Password reset requested"
msgstr "Wachtwoord reset aangevraagd"
-#: classes/Gems/Default/IndexAction.php:336
+#: classes/Gems/Default/IndexAction.php:350
msgid ""
"To set a new password for the [b]{organization}[/b] site [b]{project}[/b], please click on this link:\n"
"{reset_url}"
@@ -3633,11 +3633,11 @@
msgid "You are not allowed to login from this location."
msgstr "U kunt vanaf deze locatie niet inloggen."
-#: classes/Gems/User/User.php:1065
+#: classes/Gems/User/User.php:1066
msgid "Trying to send a password reset to a user that cannot be reset."
msgstr "Het wachtwoord voor deze gebruiker kan niet gewijzigd worden."
-#: classes/Gems/User/User.php:1092
+#: classes/Gems/User/User.php:1093
msgid "Unable to send e-mail."
msgstr "Verzenden email mislukt."
@@ -3810,59 +3810,59 @@
msgid "Mr./Mrs."
msgstr "De heer/Mevrouw"
-#: classes/MUtil/Date.php:217
+#: classes/MUtil/Date.php:219
#, php-format
msgid "%s ago"
msgstr "%s geleden"
-#: classes/MUtil/Date.php:220
+#: classes/MUtil/Date.php:222
#, php-format
msgid "%s to go"
msgstr "over %s"
-#: classes/MUtil/Date.php:231
+#: classes/MUtil/Date.php:233
msgid "second"
msgid_plural "seconds"
msgstr[0] "seconde"
msgstr[1] "seconden"
-#: classes/MUtil/Date.php:234
+#: classes/MUtil/Date.php:236
msgid "minute"
msgid_plural "minutes"
msgstr[0] "minuut"
msgstr[1] "minuten"
-#: classes/MUtil/Date.php:237
+#: classes/MUtil/Date.php:239
msgid "hour"
msgid_plural "hours"
msgstr[0] "uur"
msgstr[1] "uur"
-#: classes/MUtil/Date.php:240
+#: classes/MUtil/Date.php:242
msgid "day"
msgid_plural "days"
msgstr[0] "dag"
msgstr[1] "dagen"
-#: classes/MUtil/Date.php:243
+#: classes/MUtil/Date.php:245
msgid "week"
msgid_plural "weeks"
msgstr[0] "week"
msgstr[1] "weken"
-#: classes/MUtil/Date.php:246
+#: classes/MUtil/Date.php:248
msgid "month"
msgid_plural "months"
msgstr[0] "maand"
msgstr[1] "maanden"
-#: classes/MUtil/Date.php:249
+#: classes/MUtil/Date.php:251
msgid "year"
msgid_plural "years"
msgstr[0] "jaar"
msgstr[1] "jaren"
-#: classes/MUtil/Date.php:252
+#: classes/MUtil/Date.php:254
msgid "decade"
msgid_plural "decades"
msgstr[0] "decennium"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
