From 9202ff9beef9eb4d06b3bfbea1b098d33df5993d Mon Sep 17 00:00:00 2001 From: Geert Hauwaerts Date: Thu, 5 May 2011 14:54:12 +0000 Subject: [PATCH] - Added support in MySQL auth to prohibit users from modifying their password. git-svn-id: http://www.observium.org/svn/observer/trunk@2252 61d68cd4-352d-0410-923a-c4978735b2b8 --- database-update.sql | 1 + html/includes/authentication/mysql.inc.php | 19 +++++++++++++++---- html/pages/adduser.inc.php | 15 ++++++++++----- html/pages/preferences.inc.php | 2 +- 4 files changed, 27 insertions(+), 10 deletions(-) diff --git a/database-update.sql b/database-update.sql index e69de29bb..42c8261db 100644 --- a/database-update.sql +++ b/database-update.sql @@ -0,0 +1 @@ +ALTER TABLE users ADD can_modify_passwd TINYINT NOT NULL DEFAULT 1; diff --git a/html/includes/authentication/mysql.inc.php b/html/includes/authentication/mysql.inc.php index 08b379b8c..d605fac92 100644 --- a/html/includes/authentication/mysql.inc.php +++ b/html/includes/authentication/mysql.inc.php @@ -27,9 +27,20 @@ function authenticate($username,$password) return 0; } -function passwordscanchange() +function passwordscanchange($username="") { - return 1; + + + /* + * By default allow the password to be modified, unless the existing + * user is explicitly prohibited to do so. + */ + + if (empty($username) || !user_exists($username)) { + return 1; + } else { + return @mysql_result(mysql_query("SELECT can_modify_passwd FROM users WHERE username = '".mres($username)."'"),0); + } } /** @@ -65,12 +76,12 @@ function auth_usermanagement() return 1; } -function adduser($username, $password, $level, $email = "", $realname = "") +function adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd='1') { if (!user_exists($username)) { $encrypted = crypt($password,'$1$' . generateSalt(8).'$'); - mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`) VALUES ('".mres($username)."','".mres($encrypted)."','".mres($level)."','".mres($email)."','".mres($realname)."')"); + mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`, `can_modify_passwd`) VALUES ('".mres($username)."','".mres($encrypted)."','".mres($level)."','".mres($email)."','".mres($realname)."','".mres($can_modify_passwd)."')"); } return mysql_affected_rows(); diff --git a/html/pages/adduser.inc.php b/html/pages/adduser.inc.php index 67f605a64..cb3128d23 100644 --- a/html/pages/adduser.inc.php +++ b/html/pages/adduser.inc.php @@ -18,8 +18,15 @@ else { if (!user_exists($_POST['new_username'])) { + + if (isset($_POST['can_modify_passwd'])) { + $_POST['can_modify_passwd'] = 1; + } else { + $_POST['can_modify_passwd'] = 0; + } + # FIXME: missing email field here on the form - if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], '', $_POST['realname'])) + if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], '', $_POST['realname'], $_POST['can_modify_passwd'])) { echo("User " . $_POST['username'] . " added!"); } @@ -45,14 +52,12 @@ else echo("Please enter a password!
"); } echo("Realname
"); - ?> - -

"); - +
"); + echo(" Allow the user to change his password.

"); echo(" "); echo(""); } diff --git a/html/pages/preferences.inc.php b/html/pages/preferences.inc.php index 553a815fe..99bdbd371 100644 --- a/html/pages/preferences.inc.php +++ b/html/pages/preferences.inc.php @@ -32,7 +32,7 @@ echo(""); echo("
"); echo("
"); -if (passwordscanchange()) +if (passwordscanchange($_SESSION['username'])) { echo("
Change Password
"); echo($changepass_message);