[Bps-public-commit] rt-extension-resetpassword branch, new-user-create-password, created. 1.04-10-g6d93e79

Craig Kaiser craig at bestpractical.com
Wed Feb 19 17:15:51 EST 2020


The branch, new-user-create-password has been created
        at  6d93e79c53c310d49a1bd67bbc71ebeba64e1043 (commit)

- Log -----------------------------------------------------------------
commit 65b32fc519384ee8ad8fcbaa0070aabca4ad001a
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Thu Jan 9 11:42:11 2020 -0500

    Move token generation and password reset to lib method

diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 794c44c..5d33ecf 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -65,22 +65,7 @@ if ($ARGS{'Email'}) {
     my $u = RT::User->new($RT::SystemUser);
     $u->LoadByCols(EmailAddress => $ARGS{'Email'});
     if ($u->id and $u->HasPassword and not $u->Disabled) {
-        my $token = Digest::MD5->new()->add(
-            $u->id,
-            $u->__Value('Password'),
-            $RT::DatabasePassword,
-            $u->LastUpdated,
-            @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
-        )->hexdigest();
-
-        my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
-            To        => $u->EmailAddress,
-            Template  => 'PasswordReset',
-            Arguments => {
-                Token => $token,
-                User  => $u,
-            },
-        );
+        my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
 
         if ($status) {
             push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 1e96f02..ec583d8 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -5,6 +5,28 @@ use warnings;
 
 our $VERSION = '1.04';
 
+sub CreateTokenAndResetPassword {
+    my $user = shift;
+
+    my $token = Digest::MD5->new()->add(
+        $user->id,
+        $user->__Value('Password'),
+        $RT::DatabasePassword,
+        $user->LastUpdated,
+        @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
+    )->hexdigest();
+
+    my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
+        To        => $user->EmailAddress,
+        Template  => 'PasswordReset',
+        Arguments => {
+            Token => $token,
+            User  => $user,
+        },
+    );
+    return ($status, $msg);
+}
+
 =head1 NAME
 
 RT::Extension::ResetPassword - add "forgot your password?" link to RT instance

commit c5262cf3fd13f562d4df99d6aa73a816dd85ec42
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Tue Feb 18 17:02:36 2020 -0500

    Add documentation for config options for allowing a new user to create an account and password

diff --git a/README b/README
index 1b303c7..3867f6e 100644
--- a/README
+++ b/README
@@ -70,6 +70,18 @@ CONFIGURATION
     being sent, thus not revealing the reasons for any failure. All failures
     will still be logged with an appropriate diagnostic message.
 
+    $CreateNewUserAsPrivileged
+      Set this config value to true if users creating a new account should
+      default to privileged users. WARNING Setting this to true can be
+      dangerous as it allows anyone to create a new priviledged user,
+      usually privlidged users are given rights to edit and see information
+      not desired to be public.
+
+    $CreateNewUserAndSetPassword
+      This configuration option determines if a nonexistant user can create
+      an new user record. WARNING see the note about the danger of setting
+      this to true and setting $CreateNewUserAsPrivileged to true as well.
+
 AUTHOR
     Best Practical Solutions, LLC <modules at bestpractical.com>
 
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index ec583d8..b6016ea 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -114,6 +114,24 @@ appear to the requestor to have resulted in an email being sent, thus
 not revealing the reasons for any failure. All failures will still be
 logged with an appropriate diagnostic message.
 
+=over 2
+
+=item C<$CreateNewUserAsPrivileged>
+
+Set this config value to true if users creating a new account should default to privileged users.
+WARNING Setting this to true can be dangerous as it allows anyone to create a new priviledged user,
+usually privlidged users are given rights to edit and see information not desired to be public.
+
+
+=item C<$CreateNewUserAndSetPassword>
+
+This configuration option determines if a nonexistant user can create an new user record.
+WARNING see the note about the danger of setting this to true and setting C<$CreateNewUserAsPrivileged>
+to true as well.
+
+=back
+=cut
+
 =head1 AUTHOR
 
 Best Practical Solutions, LLC E<lt>modules at bestpractical.comE<gt>

commit a35354ed5087affef7b4b540f71f244e822f8111
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Tue Feb 18 17:02:58 2020 -0500

    Check that valid user object is passed to CreateTokenAndResetPassword

diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index b6016ea..c67b30a 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -8,6 +8,11 @@ our $VERSION = '1.04';
 sub CreateTokenAndResetPassword {
     my $user = shift;
 
+    unless ( $user && $user->Id ) {
+        RT::Logger->error( "Need to provide a loaded RT::User object for CreateTokenAndResetPassword." );
+        return;
+    }
+
     my $token = Digest::MD5->new()->add(
         $user->id,
         $user->__Value('Password'),

commit ee8b84d4bd835b4410752f89d48b9df81055fd33
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Thu Feb 13 15:13:22 2020 -0500

    Allow new users to create new user accounts and set password

diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index 3c99919..c332e14 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,2 +1,7 @@
 <br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html"><&|/l&>Forgot your password?</&></a></div>
+<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
+
+% if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+  <div id="firstpassword" style="align:left;clear:both;">
+  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+% }
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 5d33ecf..b7a3e2f 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -64,26 +64,51 @@ my $title = loc("Reset your password");
 if ($ARGS{'Email'}) {
     my $u = RT::User->new($RT::SystemUser);
     $u->LoadByCols(EmailAddress => $ARGS{'Email'});
-    if ($u->id and $u->HasPassword and not $u->Disabled) {
+
+    if ($u->id and $u->HasPassword and $u->Privileged and !$u->Disabled) {
         my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
 
         if ($status) {
             push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
             RT->Logger->info("Password reset token send to " . $u->EmailAddress);
-        } else {
+        }
+        else {
             push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
             RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
         }
-    } elsif ($u->id and $u->Disabled) {
+    }
+    elsif ($u->id and $u->Disabled) {
         push @actions, loc("You can't reset your password because your user is disabled.");
         RT->Logger->warning("Disabled user " . $u->Name . " attempted to reset password");
-    } elsif ($u->id) {
-        push @actions, loc("You can't reset your password as you don't already have one.");
-        RT->Logger->warning("User " . $u->Name . " with no password attempted a password reset")
+    }
+    elsif ($u->id) {
+        push @actions, loc("You can't reset your password as you aren't privileged.");
+        RT->Logger->warning("User " . $u->Name . " with no password attempted a password reset");
     } else {
-        push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
-        RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
+        if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+            my ($status, $msg) = $u->Create(
+                Privileged   => RT::Config->Get('CreateNewUserAsPrivileged') || 0,
+                EmailAddress => $ARGS{'Email'},
+            );
+            RT::Logger->error($msg) unless $status;
+
+            ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+            if ($status) {
+                push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+                RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+            } else {
+                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+            }
+            $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
+            $refresh = 1;
+        }
+        else {
+            push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
+            RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
+        }
     }
+
     if(RT->Config->Get("HidePasswordResetErrors")) {
         pop @actions;
         push @actions, loc("RT has sent you an email message with instructions about how to reset your password");

commit e2e772f262c50428f3abf2c6810e769bf4c55f0c
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 12:14:18 2020 -0500

    Allow for an admin to send a password reset email
    
    Had to overlay html/Elements/EditPassword to place the send reset
    password email in a logical place on the page.

diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
new file mode 100644
index 0000000..e18855a
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
@@ -0,0 +1,7 @@
+<%INIT>
+# Need to stash the arg as it is not passed to the modify page on redirect
+$session{'SendPasswordResetEmail'} = $ARGSRef->{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$ARGSRef
+</%ARGS>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
new file mode 100644
index 0000000..0ae9094
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
@@ -0,0 +1,17 @@
+<%INIT>
+if ( ( $ARGS{'SendPasswordResetEmail'} || $session{'SendPasswordResetEmail'} ) && $User && $User->Id ) {
+    my ($ret, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($User);
+    if ( $ret ) {
+        push @{$Results}, 'Password reset email passed to new user';
+    }
+    else {
+        RT::Logger->error( "$msg" );
+    }
+}
+delete $session{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$Results
+$User
+$ARGSRef
+</%ARGS>
diff --git a/html/Elements/EditPassword b/html/Elements/EditPassword
new file mode 100644
index 0000000..3de003f
--- /dev/null
+++ b/html/Elements/EditPassword
@@ -0,0 +1,84 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2019 Best Practical Solutions, LLC
+%#                                          <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<input value="1" <% $session{'SendPasswordResetEmail'} ? 'checked' : '' %> id="SendPasswordResetEmail" name="SendPasswordResetEmail" type="checkbox"></input>
+<label for="SendPasswordResetEmail"><&|/l&>Send new password email</&></label><br />
+
+% unless ( $cond{'CanSet'} ) {
+<% $cond{'Reason'} %><br />
+% } else {
+<table>
+
+% if ( $cond{'RequireCurrent'} ) {
+<tr>
+<td class="label"><&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[0] %>" size="16" autocomplete="off" /></td>
+</tr>
+% }
+
+<tr>
+<td class="label"><&|/l&>New password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[1] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+<tr>
+<td class="label"><&|/l&>Retype Password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[2] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+</table>
+% }
+
+<%ARGS>
+$User
+ at Name => qw(CurrentPass NewPass1 NewPass2)
+</%ARGS>
+<%INIT>
+
+my %cond = $User->CurrentUserRequireToSetPassword;
+
+</%INIT>

commit 255c7bdf416bbbc12e9ce0f774a42d106dc3481b
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Tue Feb 18 17:23:47 2020 -0500

    Add AllowUsersWithoutPassword config option

diff --git a/README b/README
index 3867f6e..f1cf7cd 100644
--- a/README
+++ b/README
@@ -70,17 +70,22 @@ CONFIGURATION
     being sent, thus not revealing the reasons for any failure. All failures
     will still be logged with an appropriate diagnostic message.
 
+    $AllowUsersWithoutPassword
+       Setting this config option to true will allow existing users who do
+       not have a password value to send themselves a reset password email
+       and set a password.
+
     $CreateNewUserAsPrivileged
-      Set this config value to true if users creating a new account should
-      default to privileged users. WARNING Setting this to true can be
-      dangerous as it allows anyone to create a new priviledged user,
-      usually privlidged users are given rights to edit and see information
-      not desired to be public.
+       Set this config value to true if users creating a new account should
+       default to privileged users. WARNING Setting this to true can be
+       dangerous as it allows anyone to create a new priviledged user,
+       usually privlidged users are given rights to edit and see information
+       not desired to be public.
 
     $CreateNewUserAndSetPassword
-      This configuration option determines if a nonexistant user can create
-      an new user record. WARNING see the note about the danger of setting
-      this to true and setting $CreateNewUserAsPrivileged to true as well.
+       This configuration option determines if a nonexistant user can create
+       an new user record. WARNING see the note about the danger of setting
+       this to true and setting $CreateNewUserAsPrivileged to true as well.
 
 AUTHOR
     Best Practical Solutions, LLC <modules at bestpractical.com>
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index b7a3e2f..862908a 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -82,8 +82,23 @@ if ($ARGS{'Email'}) {
         RT->Logger->warning("Disabled user " . $u->Name . " attempted to reset password");
     }
     elsif ($u->id) {
-        push @actions, loc("You can't reset your password as you aren't privileged.");
-        RT->Logger->warning("User " . $u->Name . " with no password attempted a password reset");
+        if ( RT::Config->Get('AllowUsersWithoutPassword') ) {
+            my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+            if ($status) {
+                push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+                RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+
+                $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
+                $refresh = 1;
+            } else {
+                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+            }
+        }
+        else {
+            push @actions, loc("You can't reset your password as you aren't privileged.");
+            RT->Logger->warning("User " . $u->Name . " is not privileged and attempted a password reset");
+        }
     } else {
         if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
             my ($status, $msg) = $u->Create(
@@ -96,7 +111,8 @@ if ($ARGS{'Email'}) {
             if ($status) {
                 push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
                 RT->Logger->info("Password reset token send to " . $u->EmailAddress);
-            } else {
+            }
+            else {
                 push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
                 RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
             }
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index c67b30a..c19f161 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -119,7 +119,12 @@ appear to the requestor to have resulted in an email being sent, thus
 not revealing the reasons for any failure. All failures will still be
 logged with an appropriate diagnostic message.
 
-=over 2
+=over 3
+
+=item C<$AllowUsersWithoutPassword>
+
+Setting this config option to true will allow existing users who do not have a password
+value to send themselves a reset password email and set a password.
 
 =item C<$CreateNewUserAsPrivileged>
 

commit 6364a796806c3f110cf944883d6c58cdb2c4a244
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 10:09:05 2020 -0500

    Keep the behavior between finding a user and not the same

diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 862908a..2613b03 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -54,6 +54,7 @@
     <&|/l&>Email address</&>:<input name="Email" value="" />
     <input type="submit" class="button" value="<%loc('Send it!')%>" />
 </form>
+    <a href="<%$RT::WebURL|n%>"><&|/l&>Login</&></a>
 </div>
 
 <%INIT>
@@ -87,17 +88,15 @@ if ($ARGS{'Email'}) {
             if ($status) {
                 push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
                 RT->Logger->info("Password reset token send to " . $u->EmailAddress);
-
-                $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
-                $refresh = 1;
-            } else {
-                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+            }
+            else {
+                push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
                 RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
             }
         }
         else {
-            push @actions, loc("You can't reset your password as you aren't privileged.");
-            RT->Logger->warning("User " . $u->Name . " is not privileged and attempted a password reset");
+            push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+            RT->Logger->warning("User " . $u->Name . " attempted to reset their password without having an existing password");
         }
     } else {
         if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
@@ -113,14 +112,12 @@ if ($ARGS{'Email'}) {
                 RT->Logger->info("Password reset token send to " . $u->EmailAddress);
             }
             else {
-                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
                 RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
             }
-            $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
-            $refresh = 1;
         }
         else {
-            push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
+            push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
             RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
         }
     }

commit ff0430b9e1850e0ca0894d3ca930b8bad7ad1a3e
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 10:29:40 2020 -0500

    Center the password links on login page

diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index c332e14..095866f 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,7 +1,6 @@
-<br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
-
+<div id="lostpassword" class="input-row" style="text-align:right;clear:both;">
+  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a>
 % if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
-  <div id="firstpassword" style="align:left;clear:both;">
-  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+  | <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a>
 % }
+</div>

commit 06e213c5bfe720b95c8ac77041cf06a155d32c1a
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 10:43:50 2020 -0500

    Fix curly brackets to not be inline

diff --git a/README b/README
index f1cf7cd..585822b 100644
--- a/README
+++ b/README
@@ -71,21 +71,26 @@ CONFIGURATION
     will still be logged with an appropriate diagnostic message.
 
     $AllowUsersWithoutPassword
-       Setting this config option to true will allow existing users who do
-       not have a password value to send themselves a reset password email
-       and set a password.
+        Setting this config option to true will allow existing users who do
+        not have a password value to send themselves a reset password email
+        and set a password.
 
     $CreateNewUserAsPrivileged
-       Set this config value to true if users creating a new account should
-       default to privileged users. WARNING Setting this to true can be
-       dangerous as it allows anyone to create a new priviledged user,
-       usually privlidged users are given rights to edit and see information
-       not desired to be public.
+        Set this config value to true if users creating a new account should
+        default to privileged users. WARNING Setting this to true can be
+        dangerous as it allows anyone to create a new priviledged user,
+        usually privlidged users are given rights to edit and see
+        information not desired to be public.
 
     $CreateNewUserAndSetPassword
-       This configuration option determines if a nonexistant user can create
-       an new user record. WARNING see the note about the danger of setting
-       this to true and setting $CreateNewUserAsPrivileged to true as well.
+        This configuration option determines if a nonexistant user can
+        create an new user record. WARNING see the note about the danger of
+        setting this to true and setting $CreateNewUserAsPrivileged to true
+        as well.
+
+    $DisableResetPasswordOnLogin
+        Set this config value to true if you do not want the "forgot
+        password" option to display on the login page.
 
 AUTHOR
     Best Practical Solutions, LLC <modules at bestpractical.com>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index 095866f..cb192b7 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,5 +1,7 @@
+% unless ( RT::Config->Get('DisableResetPasswordOnLogin') ) {
 <div id="lostpassword" class="input-row" style="text-align:right;clear:both;">
   <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a>
+% }
 % if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
   | <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a>
 % }
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 2613b03..96a382b 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -98,7 +98,8 @@ if ($ARGS{'Email'}) {
             push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
             RT->Logger->warning("User " . $u->Name . " attempted to reset their password without having an existing password");
         }
-    } else {
+    }
+    else {
         if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
             my ($status, $msg) = $u->Create(
                 Privileged   => RT::Config->Get('CreateNewUserAsPrivileged') || 0,
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index c19f161..2e969fc 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -119,7 +119,7 @@ appear to the requestor to have resulted in an email being sent, thus
 not revealing the reasons for any failure. All failures will still be
 logged with an appropriate diagnostic message.
 
-=over 3
+=over 4
 
 =item C<$AllowUsersWithoutPassword>
 
@@ -139,6 +139,11 @@ This configuration option determines if a nonexistant user can create an new use
 WARNING see the note about the danger of setting this to true and setting C<$CreateNewUserAsPrivileged>
 to true as well.
 
+=item C<$DisableResetPasswordOnLogin>
+
+Set this config value to true if you do not want the "forgot password" option to display on the login
+page.
+
 =back
 =cut
 

commit 6d93e79c53c310d49a1bd67bbc71ebeba64e1043
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 17:10:00 2020 -0500

    Update README with example scenarios for config options

diff --git a/README b/README
index 585822b..b897e01 100644
--- a/README
+++ b/README
@@ -59,6 +59,10 @@ UPGRADING
         { $ENV{'REMOTE_ADDR'} }
 
 CONFIGURATION
+    ** IMPORTANT ** Do not use this extension if you use any form of
+    external auth such as SAML, federated or OAUTH as RT does not have
+    access to reset a password.
+
     The contents of the email sent to users can be found in the global
     PasswordReset template (do not confuse this with the core PasswordChange
     template).
@@ -70,6 +74,24 @@ CONFIGURATION
     being sent, thus not revealing the reasons for any failure. All failures
     will still be logged with an appropriate diagnostic message.
 
+    For an RT open to the internet the most secure configuration is to use
+    the default configuration ( This means setting no config options from
+    below ). The default configuration only allows for existing users with
+    an existing password to reset their password.
+
+    If the rights schema for the RT is tight then it could be desirable to
+    allow users who have a user record in RT ( They have emailed RT before )
+    but no password to create a password for themselves by setting
+    $AllowUsersWithoutPassword to 1. This can allow for any user to access
+    the RT self service pages. This can be dangerous if the RT rights are
+    not set-up correctly as users could see data they should not be able to.
+
+    The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config
+    options should only be used when access to the RT web UI is limited to
+    trusted individuals. This usually means access to the web UI is
+    restricted by a company firewall so that only users on the company
+    network can access the UI and create new user records.
+
     $AllowUsersWithoutPassword
         Setting this config option to true will allow existing users who do
         not have a password value to send themselves a reset password email
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 2e969fc..aea432e 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -108,6 +108,10 @@ with this:
 
 =head1 CONFIGURATION
 
+** IMPORTANT **
+Do not use this extension if you use any form of external auth such as
+SAML, federated or OAUTH as RT does not have access to reset a password.
+
 The contents of the email sent to users can be found in the global
 PasswordReset template (do not confuse this with the core PasswordChange
 template).
@@ -119,6 +123,22 @@ appear to the requestor to have resulted in an email being sent, thus
 not revealing the reasons for any failure. All failures will still be
 logged with an appropriate diagnostic message.
 
+For an RT open to the internet the most secure configuration is to use the default
+configuration ( This means setting no config options from below ). The default
+configuration only allows for existing users with an existing password to reset
+their password.
+
+If the rights schema for the RT is tight then it could be desirable to allow users
+who have a user record in RT ( They have emailed RT before ) but no password to create
+a password for themselves by setting $AllowUsersWithoutPassword to 1. This can allow for
+any user to access the RT self service pages. This can be dangerous if the RT rights are
+not set-up correctly as users could see data they should not be able to.
+
+The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config options should only
+be used when access to the RT web UI is limited to trusted individuals. This usually means
+access to the web UI is restricted by a company firewall so that only users on the company
+network can access the UI and create new user records.
+
 =over 4
 
 =item C<$AllowUsersWithoutPassword>

-----------------------------------------------------------------------


More information about the Bps-public-commit mailing list