[Bps-public-commit] rt-extension-resetpassword branch, new-user-create-password, created. 1.04-6-g40c25a0

Craig Kaiser craig at bestpractical.com
Wed Feb 26 10:46:28 EST 2020


The branch, new-user-create-password has been created
        at  40c25a0e3d5e3ccb8751cc34a7af194d97b46414 (commit)

- Log -----------------------------------------------------------------
commit 65b32fc519384ee8ad8fcbaa0070aabca4ad001a
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Thu Jan 9 11:42:11 2020 -0500

    Move token generation and password reset to lib method

diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 794c44c..5d33ecf 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -65,22 +65,7 @@ if ($ARGS{'Email'}) {
     my $u = RT::User->new($RT::SystemUser);
     $u->LoadByCols(EmailAddress => $ARGS{'Email'});
     if ($u->id and $u->HasPassword and not $u->Disabled) {
-        my $token = Digest::MD5->new()->add(
-            $u->id,
-            $u->__Value('Password'),
-            $RT::DatabasePassword,
-            $u->LastUpdated,
-            @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
-        )->hexdigest();
-
-        my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
-            To        => $u->EmailAddress,
-            Template  => 'PasswordReset',
-            Arguments => {
-                Token => $token,
-                User  => $u,
-            },
-        );
+        my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
 
         if ($status) {
             push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 1e96f02..ec583d8 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -5,6 +5,28 @@ use warnings;
 
 our $VERSION = '1.04';
 
+sub CreateTokenAndResetPassword {
+    my $user = shift;
+
+    my $token = Digest::MD5->new()->add(
+        $user->id,
+        $user->__Value('Password'),
+        $RT::DatabasePassword,
+        $user->LastUpdated,
+        @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
+    )->hexdigest();
+
+    my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
+        To        => $user->EmailAddress,
+        Template  => 'PasswordReset',
+        Arguments => {
+            Token => $token,
+            User  => $user,
+        },
+    );
+    return ($status, $msg);
+}
+
 =head1 NAME
 
 RT::Extension::ResetPassword - add "forgot your password?" link to RT instance

commit 095f7cc2fd90845e6d02cd8c36ab0b657b8e6315
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Tue Feb 18 17:02:58 2020 -0500

    Check that valid user object is passed to CreateTokenAndResetPassword

diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index ec583d8..0f32055 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -8,6 +8,11 @@ our $VERSION = '1.04';
 sub CreateTokenAndResetPassword {
     my $user = shift;
 
+    unless ( $user && $user->Id ) {
+        RT::Logger->error( "Need to provide a loaded RT::User object for CreateTokenAndResetPassword." );
+        return;
+    }
+
     my $token = Digest::MD5->new()->add(
         $user->id,
         $user->__Value('Password'),

commit 8e54d3ec07c1bf2178f7f5dfd9220ce3582f3759
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Thu Feb 13 15:13:22 2020 -0500

    Allow new users to create new user accounts and set password

diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
new file mode 100644
index 0000000..e18855a
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
@@ -0,0 +1,7 @@
+<%INIT>
+# Need to stash the arg as it is not passed to the modify page on redirect
+$session{'SendPasswordResetEmail'} = $ARGSRef->{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$ARGSRef
+</%ARGS>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
new file mode 100644
index 0000000..0ae9094
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
@@ -0,0 +1,17 @@
+<%INIT>
+if ( ( $ARGS{'SendPasswordResetEmail'} || $session{'SendPasswordResetEmail'} ) && $User && $User->Id ) {
+    my ($ret, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($User);
+    if ( $ret ) {
+        push @{$Results}, 'Password reset email passed to new user';
+    }
+    else {
+        RT::Logger->error( "$msg" );
+    }
+}
+delete $session{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$Results
+$User
+$ARGSRef
+</%ARGS>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index 3c99919..c332e14 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,2 +1,7 @@
 <br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html"><&|/l&>Forgot your password?</&></a></div>
+<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
+
+% if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+  <div id="firstpassword" style="align:left;clear:both;">
+  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+% }
diff --git a/html/Elements/EditPassword b/html/Elements/EditPassword
new file mode 100644
index 0000000..3de003f
--- /dev/null
+++ b/html/Elements/EditPassword
@@ -0,0 +1,84 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2019 Best Practical Solutions, LLC
+%#                                          <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<input value="1" <% $session{'SendPasswordResetEmail'} ? 'checked' : '' %> id="SendPasswordResetEmail" name="SendPasswordResetEmail" type="checkbox"></input>
+<label for="SendPasswordResetEmail"><&|/l&>Send new password email</&></label><br />
+
+% unless ( $cond{'CanSet'} ) {
+<% $cond{'Reason'} %><br />
+% } else {
+<table>
+
+% if ( $cond{'RequireCurrent'} ) {
+<tr>
+<td class="label"><&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[0] %>" size="16" autocomplete="off" /></td>
+</tr>
+% }
+
+<tr>
+<td class="label"><&|/l&>New password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[1] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+<tr>
+<td class="label"><&|/l&>Retype Password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[2] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+</table>
+% }
+
+<%ARGS>
+$User
+ at Name => qw(CurrentPass NewPass1 NewPass2)
+</%ARGS>
+<%INIT>
+
+my %cond = $User->CurrentUserRequireToSetPassword;
+
+</%INIT>
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 5d33ecf..1f3dd6e 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -64,26 +64,68 @@ my $title = loc("Reset your password");
 if ($ARGS{'Email'}) {
     my $u = RT::User->new($RT::SystemUser);
     $u->LoadByCols(EmailAddress => $ARGS{'Email'});
-    if ($u->id and $u->HasPassword and not $u->Disabled) {
+
+    if ($u->id and $u->HasPassword and $u->Privileged and !$u->Disabled) {
         my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
 
         if ($status) {
             push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
             RT->Logger->info("Password reset token send to " . $u->EmailAddress);
-        } else {
+        }
+        else {
             push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
             RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
         }
-    } elsif ($u->id and $u->Disabled) {
+    }
+    elsif ($u->id and $u->Disabled) {
         push @actions, loc("You can't reset your password because your user is disabled.");
         RT->Logger->warning("Disabled user " . $u->Name . " attempted to reset password");
-    } elsif ($u->id) {
-        push @actions, loc("You can't reset your password as you don't already have one.");
-        RT->Logger->warning("User " . $u->Name . " with no password attempted a password reset")
-    } else {
-        push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
-        RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
     }
+    elsif ($u->id) {
+        if ( RT::Config->Get('AllowUsersWithoutPassword') ) {
+            my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+            if ($status) {
+                push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+                RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+
+                $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
+                $refresh = 1;
+            } else {
+                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+            }
+        }
+        else {
+            push @actions, loc("You can't reset your password as you aren't privileged.");
+            RT->Logger->warning("User " . $u->Name . " is not privileged and attempted a password reset");
+        }
+    }
+    else {
+        if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+            my ($status, $msg) = $u->Create(
+                Privileged   => RT::Config->Get('CreateNewUserAsPrivileged') || 0,
+                EmailAddress => $ARGS{'Email'},
+            );
+            RT::Logger->error($msg) unless $status;
+
+            ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+            if ($status) {
+                push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+                RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+            }
+            else {
+                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+            }
+            $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
+            $refresh = 1;
+        }
+        else {
+            push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
+            RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
+        }
+    }
+
     if(RT->Config->Get("HidePasswordResetErrors")) {
         pop @actions;
         push @actions, loc("RT has sent you an email message with instructions about how to reset your password");

commit 58edb7aa31531fc2980ccb2620e892e57c6e6e4c
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 19 10:09:05 2020 -0500

    Keep the behavior between finding a user and not the same

diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 1f3dd6e..96a382b 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -54,6 +54,7 @@
     <&|/l&>Email address</&>:<input name="Email" value="" />
     <input type="submit" class="button" value="<%loc('Send it!')%>" />
 </form>
+    <a href="<%$RT::WebURL|n%>"><&|/l&>Login</&></a>
 </div>
 
 <%INIT>
@@ -87,17 +88,15 @@ if ($ARGS{'Email'}) {
             if ($status) {
                 push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
                 RT->Logger->info("Password reset token send to " . $u->EmailAddress);
-
-                $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
-                $refresh = 1;
-            } else {
-                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+            }
+            else {
+                push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
                 RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
             }
         }
         else {
-            push @actions, loc("You can't reset your password as you aren't privileged.");
-            RT->Logger->warning("User " . $u->Name . " is not privileged and attempted a password reset");
+            push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+            RT->Logger->warning("User " . $u->Name . " attempted to reset their password without having an existing password");
         }
     }
     else {
@@ -114,14 +113,12 @@ if ($ARGS{'Email'}) {
                 RT->Logger->info("Password reset token send to " . $u->EmailAddress);
             }
             else {
-                push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
+                push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
                 RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
             }
-            $m->notes->{RefreshURL} = RT->Config->Get('WebPath')."/";
-            $refresh = 1;
         }
         else {
-            push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
+            push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
             RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
         }
     }

commit 291ad0a6cb90a0360baa00fe4c2af18e9a7aa2d5
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 26 10:36:00 2020 -0500

    Center the password links on login page

diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index c332e14..cb192b7 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,7 +1,8 @@
-<br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
-
+% unless ( RT::Config->Get('DisableResetPasswordOnLogin') ) {
+<div id="lostpassword" class="input-row" style="text-align:right;clear:both;">
+  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a>
+% }
 % if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
-  <div id="firstpassword" style="align:left;clear:both;">
-  <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+  | <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a>
 % }
+</div>

commit 40c25a0e3d5e3ccb8751cc34a7af194d97b46414
Author: Craig Kaiser <craig at bestpractical.com>
Date:   Wed Feb 26 10:36:13 2020 -0500

    Update docs for new features
    
    $AllowUsersWithoutPassword
    $CreateNewUserAsPrivileged
    $CreateNewUserAndSetPassword
    $DisableResetPasswordOnLogin

diff --git a/README b/README
index 1b303c7..b897e01 100644
--- a/README
+++ b/README
@@ -59,6 +59,10 @@ UPGRADING
         { $ENV{'REMOTE_ADDR'} }
 
 CONFIGURATION
+    ** IMPORTANT ** Do not use this extension if you use any form of
+    external auth such as SAML, federated or OAUTH as RT does not have
+    access to reset a password.
+
     The contents of the email sent to users can be found in the global
     PasswordReset template (do not confuse this with the core PasswordChange
     template).
@@ -70,6 +74,46 @@ CONFIGURATION
     being sent, thus not revealing the reasons for any failure. All failures
     will still be logged with an appropriate diagnostic message.
 
+    For an RT open to the internet the most secure configuration is to use
+    the default configuration ( This means setting no config options from
+    below ). The default configuration only allows for existing users with
+    an existing password to reset their password.
+
+    If the rights schema for the RT is tight then it could be desirable to
+    allow users who have a user record in RT ( They have emailed RT before )
+    but no password to create a password for themselves by setting
+    $AllowUsersWithoutPassword to 1. This can allow for any user to access
+    the RT self service pages. This can be dangerous if the RT rights are
+    not set-up correctly as users could see data they should not be able to.
+
+    The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config
+    options should only be used when access to the RT web UI is limited to
+    trusted individuals. This usually means access to the web UI is
+    restricted by a company firewall so that only users on the company
+    network can access the UI and create new user records.
+
+    $AllowUsersWithoutPassword
+        Setting this config option to true will allow existing users who do
+        not have a password value to send themselves a reset password email
+        and set a password.
+
+    $CreateNewUserAsPrivileged
+        Set this config value to true if users creating a new account should
+        default to privileged users. WARNING Setting this to true can be
+        dangerous as it allows anyone to create a new priviledged user,
+        usually privlidged users are given rights to edit and see
+        information not desired to be public.
+
+    $CreateNewUserAndSetPassword
+        This configuration option determines if a nonexistant user can
+        create an new user record. WARNING see the note about the danger of
+        setting this to true and setting $CreateNewUserAsPrivileged to true
+        as well.
+
+    $DisableResetPasswordOnLogin
+        Set this config value to true if you do not want the "forgot
+        password" option to display on the login page.
+
 AUTHOR
     Best Practical Solutions, LLC <modules at bestpractical.com>
 
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 0f32055..aea432e 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -108,6 +108,10 @@ with this:
 
 =head1 CONFIGURATION
 
+** IMPORTANT **
+Do not use this extension if you use any form of external auth such as
+SAML, federated or OAUTH as RT does not have access to reset a password.
+
 The contents of the email sent to users can be found in the global
 PasswordReset template (do not confuse this with the core PasswordChange
 template).
@@ -119,6 +123,50 @@ appear to the requestor to have resulted in an email being sent, thus
 not revealing the reasons for any failure. All failures will still be
 logged with an appropriate diagnostic message.
 
+For an RT open to the internet the most secure configuration is to use the default
+configuration ( This means setting no config options from below ). The default
+configuration only allows for existing users with an existing password to reset
+their password.
+
+If the rights schema for the RT is tight then it could be desirable to allow users
+who have a user record in RT ( They have emailed RT before ) but no password to create
+a password for themselves by setting $AllowUsersWithoutPassword to 1. This can allow for
+any user to access the RT self service pages. This can be dangerous if the RT rights are
+not set-up correctly as users could see data they should not be able to.
+
+The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config options should only
+be used when access to the RT web UI is limited to trusted individuals. This usually means
+access to the web UI is restricted by a company firewall so that only users on the company
+network can access the UI and create new user records.
+
+=over 4
+
+=item C<$AllowUsersWithoutPassword>
+
+Setting this config option to true will allow existing users who do not have a password
+value to send themselves a reset password email and set a password.
+
+=item C<$CreateNewUserAsPrivileged>
+
+Set this config value to true if users creating a new account should default to privileged users.
+WARNING Setting this to true can be dangerous as it allows anyone to create a new priviledged user,
+usually privlidged users are given rights to edit and see information not desired to be public.
+
+
+=item C<$CreateNewUserAndSetPassword>
+
+This configuration option determines if a nonexistant user can create an new user record.
+WARNING see the note about the danger of setting this to true and setting C<$CreateNewUserAsPrivileged>
+to true as well.
+
+=item C<$DisableResetPasswordOnLogin>
+
+Set this config value to true if you do not want the "forgot password" option to display on the login
+page.
+
+=back
+=cut
+
 =head1 AUTHOR
 
 Best Practical Solutions, LLC E<lt>modules at bestpractical.comE<gt>

-----------------------------------------------------------------------


More information about the Bps-public-commit mailing list