[Bps-public-commit] rt-extension-resetpassword branch, new-user-create-password, created. 1.04-5-g35488a2
Craig Kaiser
craig at bestpractical.com
Wed Feb 26 12:31:21 EST 2020
The branch, new-user-create-password has been created
at 35488a2932f8f9b9c629168ff6feb31915bb77ed (commit)
- Log -----------------------------------------------------------------
commit 65b32fc519384ee8ad8fcbaa0070aabca4ad001a
Author: Craig Kaiser <craig at bestpractical.com>
Date: Thu Jan 9 11:42:11 2020 -0500
Move token generation and password reset to lib method
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 794c44c..5d33ecf 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -65,22 +65,7 @@ if ($ARGS{'Email'}) {
my $u = RT::User->new($RT::SystemUser);
$u->LoadByCols(EmailAddress => $ARGS{'Email'});
if ($u->id and $u->HasPassword and not $u->Disabled) {
- my $token = Digest::MD5->new()->add(
- $u->id,
- $u->__Value('Password'),
- $RT::DatabasePassword,
- $u->LastUpdated,
- @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
- )->hexdigest();
-
- my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
- To => $u->EmailAddress,
- Template => 'PasswordReset',
- Arguments => {
- Token => $token,
- User => $u,
- },
- );
+ my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
if ($status) {
push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 1e96f02..ec583d8 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -5,6 +5,28 @@ use warnings;
our $VERSION = '1.04';
+sub CreateTokenAndResetPassword {
+ my $user = shift;
+
+ my $token = Digest::MD5->new()->add(
+ $user->id,
+ $user->__Value('Password'),
+ $RT::DatabasePassword,
+ $user->LastUpdated,
+ @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset'
+ )->hexdigest();
+
+ my ($status, $msg) = RT::Interface::Email::SendEmailUsingTemplate(
+ To => $user->EmailAddress,
+ Template => 'PasswordReset',
+ Arguments => {
+ Token => $token,
+ User => $user,
+ },
+ );
+ return ($status, $msg);
+}
+
=head1 NAME
RT::Extension::ResetPassword - add "forgot your password?" link to RT instance
commit 095f7cc2fd90845e6d02cd8c36ab0b657b8e6315
Author: Craig Kaiser <craig at bestpractical.com>
Date: Tue Feb 18 17:02:58 2020 -0500
Check that valid user object is passed to CreateTokenAndResetPassword
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index ec583d8..0f32055 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -8,6 +8,11 @@ our $VERSION = '1.04';
sub CreateTokenAndResetPassword {
my $user = shift;
+ unless ( $user && $user->Id ) {
+ RT::Logger->error( "Need to provide a loaded RT::User object for CreateTokenAndResetPassword." );
+ return;
+ }
+
my $token = Digest::MD5->new()->add(
$user->id,
$user->__Value('Password'),
commit 2f2dab292cfa626eb1d6c6b54225b9b520853210
Author: Craig Kaiser <craig at bestpractical.com>
Date: Thu Feb 13 15:13:22 2020 -0500
Allow new users to create new user accounts and set password
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
new file mode 100644
index 0000000..e18855a
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeCreate
@@ -0,0 +1,7 @@
+<%INIT>
+# Need to stash the arg as it is not passed to the modify page on redirect
+$session{'SendPasswordResetEmail'} = $ARGSRef->{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$ARGSRef
+</%ARGS>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
new file mode 100644
index 0000000..0ae9094
--- /dev/null
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
@@ -0,0 +1,17 @@
+<%INIT>
+if ( ( $ARGS{'SendPasswordResetEmail'} || $session{'SendPasswordResetEmail'} ) && $User && $User->Id ) {
+ my ($ret, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($User);
+ if ( $ret ) {
+ push @{$Results}, 'Password reset email passed to new user';
+ }
+ else {
+ RT::Logger->error( "$msg" );
+ }
+}
+delete $session{'SendPasswordResetEmail'};
+</%INIT>
+<%ARGS>
+$Results
+$User
+$ARGSRef
+</%ARGS>
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index 3c99919..c332e14 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,2 +1,7 @@
<br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html"><&|/l&>Forgot your password?</&></a></div>
+<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
+
+% if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+ <div id="firstpassword" style="align:left;clear:both;">
+ <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+% }
diff --git a/html/Elements/EditPassword b/html/Elements/EditPassword
new file mode 100644
index 0000000..3de003f
--- /dev/null
+++ b/html/Elements/EditPassword
@@ -0,0 +1,84 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2019 Best Practical Solutions, LLC
+%# <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<input value="1" <% $session{'SendPasswordResetEmail'} ? 'checked' : '' %> id="SendPasswordResetEmail" name="SendPasswordResetEmail" type="checkbox"></input>
+<label for="SendPasswordResetEmail"><&|/l&>Send new password email</&></label><br />
+
+% unless ( $cond{'CanSet'} ) {
+<% $cond{'Reason'} %><br />
+% } else {
+<table>
+
+% if ( $cond{'RequireCurrent'} ) {
+<tr>
+<td class="label"><&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[0] %>" size="16" autocomplete="off" /></td>
+</tr>
+% }
+
+<tr>
+<td class="label"><&|/l&>New password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[1] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+<tr>
+<td class="label"><&|/l&>Retype Password</&>:</td>
+<td class="value"><input type="password" name="<% $Name[2] %>" size="16" autocomplete="off" /></td>
+</tr>
+
+</table>
+% }
+
+<%ARGS>
+$User
+ at Name => qw(CurrentPass NewPass1 NewPass2)
+</%ARGS>
+<%INIT>
+
+my %cond = $User->CurrentUserRequireToSetPassword;
+
+</%INIT>
diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index 5d33ecf..384c6a2 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -54,6 +54,7 @@
<&|/l&>Email address</&>:<input name="Email" value="" />
<input type="submit" class="button" value="<%loc('Send it!')%>" />
</form>
+ <a href="<%$RT::WebURL|n%>"><&|/l&>Login</&></a>
</div>
<%INIT>
@@ -64,26 +65,71 @@ my $title = loc("Reset your password");
if ($ARGS{'Email'}) {
my $u = RT::User->new($RT::SystemUser);
$u->LoadByCols(EmailAddress => $ARGS{'Email'});
- if ($u->id and $u->HasPassword and not $u->Disabled) {
+
+ # Do not allow password reset if this page is suppose to be hidden
+ return if RT->Config->Get('DisableResetPasswordOnLogin');
+
+ # If the user exists and has a password and is not disabled then they can always reset their password
+ if ($u->id and $u->HasPassword and !$u->Disabled) {
my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
if ($status) {
push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
RT->Logger->info("Password reset token send to " . $u->EmailAddress);
- } else {
+ }
+ else {
push @actions, loc("Failed to send password reset token, please contact your RT administrator.");
RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
}
- } elsif ($u->id and $u->Disabled) {
+ }
+ # Disabled users do not get to reset their passwords
+ elsif ($u->id and $u->Disabled) {
push @actions, loc("You can't reset your password because your user is disabled.");
RT->Logger->warning("Disabled user " . $u->Name . " attempted to reset password");
- } elsif ($u->id) {
- push @actions, loc("You can't reset your password as you don't already have one.");
- RT->Logger->warning("User " . $u->Name . " with no password attempted a password reset")
- } else {
- push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
- RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
}
+ # If the user exists but does not have a password value then we need to consult the config flag
+ elsif ($u->id) {
+ if ( RT::Config->Get('AllowUsersWithoutPassword') ) {
+ my ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+ if ($status) {
+ push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+ RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+ }
+ else {
+ push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+ RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+ }
+ }
+ else {
+ push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+ RT->Logger->warning("User " . $u->Name . " attempted to reset their password without having an existing password");
+ }
+ }
+ # If the user does not exists check if users are allowed to be created via this page
+ else {
+ if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
+ my ($status, $msg) = $u->Create(
+ Privileged => RT::Config->Get('CreateNewUserAsPrivileged') || 0,
+ EmailAddress => $ARGS{'Email'},
+ );
+ RT::Logger->error($msg) unless $status;
+
+ ($status, $msg) = RT::Extension::ResetPassword::CreateTokenAndResetPassword($u);
+ if ($status) {
+ push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+ RT->Logger->info("Password reset token send to " . $u->EmailAddress);
+ }
+ else {
+ push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+ RT->Logger->error("Failed to send password reset token to " . $u->EmailAddress . ": $msg");
+ }
+ }
+ else {
+ push @actions, loc("Unable to send new password email, contact your RT administrator for more assistance");
+ RT->Logger->warning("Password reset attempted for non-existent user " . $ARGS{'Email'});
+ }
+ }
+
if(RT->Config->Get("HidePasswordResetErrors")) {
pop @actions;
push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
commit d804c2bc4852e52b4c7b249a4b0a8dca49e81f88
Author: Craig Kaiser <craig at bestpractical.com>
Date: Wed Feb 26 10:36:00 2020 -0500
Center the password links on login page
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
index c332e14..cb192b7 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
+++ b/html/Callbacks/RT-Extension-ResetPassword/Elements/Login/Default
@@ -1,7 +1,8 @@
-<br/><div id="lostpassword" style="align:left;clear:both;">
-<a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a></div>
-
+% unless ( RT::Config->Get('DisableResetPasswordOnLogin') ) {
+<div id="lostpassword" class="input-row" style="text-align:right;clear:both;">
+ <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Reset your password</&>"><&|/l&>Forgot your password</&></a>
+% }
% if ( RT::Config->Get('CreateNewUserAndSetPassword') ) {
- <div id="firstpassword" style="align:left;clear:both;">
- <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a></div>
+ | <a href="<%$RT::WebPath%>/NoAuth/ResetPassword/Request.html?Title=<&|/l&>Create your password</&>"><&|/l&>New account</&></a>
% }
+</div>
commit 35488a2932f8f9b9c629168ff6feb31915bb77ed
Author: Craig Kaiser <craig at bestpractical.com>
Date: Wed Feb 26 10:36:13 2020 -0500
Update docs for new features
$AllowUsersWithoutPassword
$CreateNewUserAsPrivileged
$CreateNewUserAndSetPassword
$DisableResetPasswordOnLogin
diff --git a/README b/README
index 1b303c7..b897e01 100644
--- a/README
+++ b/README
@@ -59,6 +59,10 @@ UPGRADING
{ $ENV{'REMOTE_ADDR'} }
CONFIGURATION
+ ** IMPORTANT ** Do not use this extension if you use any form of
+ external auth such as SAML, federated or OAUTH as RT does not have
+ access to reset a password.
+
The contents of the email sent to users can be found in the global
PasswordReset template (do not confuse this with the core PasswordChange
template).
@@ -70,6 +74,46 @@ CONFIGURATION
being sent, thus not revealing the reasons for any failure. All failures
will still be logged with an appropriate diagnostic message.
+ For an RT open to the internet the most secure configuration is to use
+ the default configuration ( This means setting no config options from
+ below ). The default configuration only allows for existing users with
+ an existing password to reset their password.
+
+ If the rights schema for the RT is tight then it could be desirable to
+ allow users who have a user record in RT ( They have emailed RT before )
+ but no password to create a password for themselves by setting
+ $AllowUsersWithoutPassword to 1. This can allow for any user to access
+ the RT self service pages. This can be dangerous if the RT rights are
+ not set-up correctly as users could see data they should not be able to.
+
+ The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config
+ options should only be used when access to the RT web UI is limited to
+ trusted individuals. This usually means access to the web UI is
+ restricted by a company firewall so that only users on the company
+ network can access the UI and create new user records.
+
+ $AllowUsersWithoutPassword
+ Setting this config option to true will allow existing users who do
+ not have a password value to send themselves a reset password email
+ and set a password.
+
+ $CreateNewUserAsPrivileged
+ Set this config value to true if users creating a new account should
+ default to privileged users. WARNING Setting this to true can be
+ dangerous as it allows anyone to create a new priviledged user,
+ usually privlidged users are given rights to edit and see
+ information not desired to be public.
+
+ $CreateNewUserAndSetPassword
+ This configuration option determines if a nonexistant user can
+ create an new user record. WARNING see the note about the danger of
+ setting this to true and setting $CreateNewUserAsPrivileged to true
+ as well.
+
+ $DisableResetPasswordOnLogin
+ Set this config value to true if you do not want the "forgot
+ password" option to display on the login page.
+
AUTHOR
Best Practical Solutions, LLC <modules at bestpractical.com>
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 0f32055..aea432e 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -108,6 +108,10 @@ with this:
=head1 CONFIGURATION
+** IMPORTANT **
+Do not use this extension if you use any form of external auth such as
+SAML, federated or OAUTH as RT does not have access to reset a password.
+
The contents of the email sent to users can be found in the global
PasswordReset template (do not confuse this with the core PasswordChange
template).
@@ -119,6 +123,50 @@ appear to the requestor to have resulted in an email being sent, thus
not revealing the reasons for any failure. All failures will still be
logged with an appropriate diagnostic message.
+For an RT open to the internet the most secure configuration is to use the default
+configuration ( This means setting no config options from below ). The default
+configuration only allows for existing users with an existing password to reset
+their password.
+
+If the rights schema for the RT is tight then it could be desirable to allow users
+who have a user record in RT ( They have emailed RT before ) but no password to create
+a password for themselves by setting $AllowUsersWithoutPassword to 1. This can allow for
+any user to access the RT self service pages. This can be dangerous if the RT rights are
+not set-up correctly as users could see data they should not be able to.
+
+The $CreateNewUserAndSetPassword and $CreateNewUserAsPrivileged config options should only
+be used when access to the RT web UI is limited to trusted individuals. This usually means
+access to the web UI is restricted by a company firewall so that only users on the company
+network can access the UI and create new user records.
+
+=over 4
+
+=item C<$AllowUsersWithoutPassword>
+
+Setting this config option to true will allow existing users who do not have a password
+value to send themselves a reset password email and set a password.
+
+=item C<$CreateNewUserAsPrivileged>
+
+Set this config value to true if users creating a new account should default to privileged users.
+WARNING Setting this to true can be dangerous as it allows anyone to create a new priviledged user,
+usually privlidged users are given rights to edit and see information not desired to be public.
+
+
+=item C<$CreateNewUserAndSetPassword>
+
+This configuration option determines if a nonexistant user can create an new user record.
+WARNING see the note about the danger of setting this to true and setting C<$CreateNewUserAsPrivileged>
+to true as well.
+
+=item C<$DisableResetPasswordOnLogin>
+
+Set this config value to true if you do not want the "forgot password" option to display on the login
+page.
+
+=back
+=cut
+
=head1 AUTHOR
Best Practical Solutions, LLC E<lt>modules at bestpractical.comE<gt>
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list