[Rt-commit] rt branch, 5.0/disable-password-option-for-authtoken, created. rt-5.0.0-2-geada50f406

Aaron Trevena ast at bestpractical.com
Mon Aug 3 08:28:21 EDT 2020 

The branch, 5.0/disable-password-option-for-authtoken has been created
        at  eada50f40613a7651bd1d315e091ee899e489fa5 (commit)

- Log -----------------------------------------------------------------
commit eada50f40613a7651bd1d315e091ee899e489fa5
Author: Aaron Trevena <ast at bestpractical.com>
Date:   Wed Jun 24 10:00:30 2020 +0100

    Add config option to disable password for auth tokens
    
    Added and documented new configuration option to not require a password
    when adding a new auth token, this solves problems with requiring a password
    in a hybrid RT where both external and local accounts are used.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..b2aa8d51f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
 
     SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
 
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm :
+
+   Set($DisablePasswordForAuthToken, 1);
+
+
 You can find more information about tokens in L<RT::Authen::Token>.
 
 =head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index a7301b3436..4868ce1485 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1476,8 +1476,19 @@ fail to exist in an external service; this is so requestors who
 are not in LDAP can still be created when they email in.
 See L<RT::Authen::ExternalAuth> for details.
 
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm. You can find more information about tokens
+in L<RT::Authen::Token>.
+
 =back
 
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+
 
 =head2 Initialdata Formats
 
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 400dd5ac22..79e54f1ad1 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,12 @@ our %META;
         Widget    => '/Widgets/Form/Boolean',
     },
 
+    DisablePasswordForAuthToken => {
+        Immutable => 1,
+        Widget    => '/Widgets/Form/Boolean',
+    },
+
+
     ExternalSettings => {
         Immutable     => 1,
         Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ce7c78f679..b8bd1c52ac 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5001,15 +5001,20 @@ sub ProcessAuthToken {
     if ( $args_ref->{Create} ) {
 
         # Don't require password for systems with some form of federated auth
+        # or if configured to not require a password
         my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+        my $require_password = 1;
+        if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+            $require_password = 0;
+        }
 
         if ( !length( $args_ref->{Description} ) ) {
             push @results, loc("Description cannot be blank.");
         }
-        elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !length( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password.");
         }
-        elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password correctly.");
         }
         else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
       <div class="modal-body">
         <form method="POST">
           <input type="hidden" name="Owner" value="<% $Owner %>">
-%         if ( $res{'CanSet'} ){
+%         if ( $require_password ){
           <div class="form-row">
             <div class="label col-4">
               <&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
 </div>
 
 <%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
 my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+   $require_password = 0;
+}
 </%INIT>
 
 <%ARGS>

-----------------------------------------------------------------------

More information about the rt-commit mailing list