[Bps-public-commit] rt-extension-resetpassword branch, show-password-status, created. 1.09-2-g75c8a39

Jim Brandt jbrandt at bestpractical.com
Mon Mar 1 16:33:21 EST 2021 

The branch, show-password-status has been created
        at  75c8a39a95b919e5b5d1c7a72bd05e4cf0d82677 (commit)

- Log -----------------------------------------------------------------
commit f02d83831a14c67dee17ff3ac196e6ebe7547ae5
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Mon Mar 1 15:49:26 2021 -0500

    Provide a way to delete a user's password
    
    RT's default password controls always require a new value
    once a password has been set, so there is no way to clear
    a password once set.
    
    Provide a way to do this since ResetPassword has an option to
    allow or deny password resets based on a password already
    being set.

diff --git a/README b/README
index 8418396..dd44569 100644
--- a/README
+++ b/README
@@ -99,6 +99,14 @@ CONFIGURATION
         not have a password value to send themselves a reset password email
         and set a password.
 
+        Setting this to false (0) requires a user to already have a password
+        to use the reset feature. This is useful for managing access and not
+        automatically allowing new accounts to get a password.
+
+        This extension adds a "Delete password" option to the user admin
+        page to allow you to clear passwords if a user should no longer have
+        access.
+
     $CreateNewUserAsPrivileged
         Set this config value to true if users creating a new account should
         default to privileged users.
diff --git a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
index b1ff0b2..193dda9 100644
--- a/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
+++ b/html/Callbacks/RT-Extension-ResetPassword/Admin/Users/Modify.html/BeforeUpdate
@@ -18,6 +18,20 @@ if ( ( $ARGS{'SendPasswordResetEmail'} || $session{'SendPasswordResetEmail'} ) &
     }
 }
 delete $session{'SendPasswordResetEmail'};
+
+# Handle DeleteUserPassword
+if ( $ARGS{'DeleteUserPassword'} ) {
+    my ($ret, $msg) = $User->UnsetPassword();
+    if ( $ret ) {
+        push @{$Results}, $msg;
+    }
+    else {
+        push @{$Results}, 'Unable to delete password';
+        RT::Logger->error( "$msg" );
+    }
+}
+
+
 </%INIT>
 <%ARGS>
 $Results
diff --git a/html/Elements/EditPassword b/html/Elements/EditPassword
index aa408f0..6899713 100644
--- a/html/Elements/EditPassword
+++ b/html/Elements/EditPassword
@@ -54,6 +54,14 @@
       </div>
     </div>
   </div>
+  <div class="form-row">
+    <div class="col-12">
+      <div class="custom-control custom-checkbox">
+        <input value="1" <% $session{'DeleteUserPassword'} ? 'checked' : '' %> class="custom-control-input checkbox" id="DeleteUserPassword" name="DeleteUserPassword" type="checkbox" />
+        <label class="custom-control-label" for="DeleteUserPassword"><&|/l&>Delete password (User will have no password set)</&></label>
+      </div>
+    </div>
+  </div>
 
 % unless ( $cond{'CanSet'} ) {
 <% $cond{'Reason'} %><br />
@@ -92,6 +100,8 @@
 % else {
 <input value="1" <% $session{'SendPasswordResetEmail'} ? 'checked' : '' %> id="SendPasswordResetEmail" name="SendPasswordResetEmail" type="checkbox"></input>
 <label for="SendPasswordResetEmail"><&|/l&>Send new password email</&></label><br />
+<input value="1" <% $session{'DeleteUserPassword'} ? 'checked' : '' %> class="custom-control-input checkbox" id="DeleteUserPassword" name="DeleteUserPassword" type="checkbox" />
+<label class="custom-control-label" for="DeleteUserPassword"><&|/l&>Delete password (User will have no password set)</&></label>
 
 % unless ( $cond{'CanSet'} ) {
 <% $cond{'Reason'} %><br />
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 01f712a..1ad7522 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -55,6 +55,35 @@ sub CreateTokenAndResetPassword {
     return ($status, $msg);
 }
 
+
+# Add to RT::User for possible addition to core RT in the future.
+
+package RT::User;
+
+# Set the password for this user back to no value. This is useful for
+# features like ResetPassword that might use the existence of a password
+# to determine if a user should be allowed to reset. Also possibly useful
+# for clearing old passwords after switching to different authentication
+# for RT.
+
+sub UnsetPassword {
+    my $self     = shift;
+
+    unless ( $self->CurrentUserCanModify('Password') ) {
+        return ( 0, $self->loc('Password: Permission Denied') );
+    }
+
+    my ( $val, $msg ) = $self->_Set(Field => 'Password', Value => '');
+    if ($val) {
+        return ( 1, $self->loc("Password unset") );
+    }
+    else {
+        return ( $val, $msg );
+    }
+}
+
+package RT::Extension::ResetPassword;
+
 =head1 NAME
 
 RT::Extension::ResetPassword - add "forgot your password?" link to RT instance
@@ -173,6 +202,14 @@ Setting this config option to true will allow existing users who do
 not have a password value to send themselves a reset password email
 and set a password.
 
+Setting this to false (0) requires a user to already have a password
+to use the reset feature. This is useful for managing access and
+not automatically allowing new accounts to get a password.
+
+This extension adds a "Delete password" option to the user admin
+page to allow you to clear passwords if a user should no longer have
+access.
+
 =item C<$CreateNewUserAsPrivileged>
 
 Set this config value to true if users creating a new account should

commit 75c8a39a95b919e5b5d1c7a72bd05e4cf0d82677
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Mon Mar 1 16:32:09 2021 -0500

    Display password status on the user admin page
    
    Without this display, there is no way for an RT admin
    to tell whether a user currently has a password set
    and might therefore be able to use the password reset
    feature to get access to RT.

diff --git a/README b/README
index dd44569..a8a2d7c 100644
--- a/README
+++ b/README
@@ -103,9 +103,10 @@ CONFIGURATION
         to use the reset feature. This is useful for managing access and not
         automatically allowing new accounts to get a password.
 
-        This extension adds a "Delete password" option to the user admin
-        page to allow you to clear passwords if a user should no longer have
-        access.
+        This extension adds a "Password Status" at the bottom of the Access
+        control section on the user admin page which shows whether the user
+        currently has a password set. The "Delete password" option allows
+        you to clear passwords if a user should no longer have access.
 
     $CreateNewUserAsPrivileged
         Set this config value to true if users creating a new account should
diff --git a/html/Elements/EditPassword b/html/Elements/EditPassword
index 6899713..b881d23 100644
--- a/html/Elements/EditPassword
+++ b/html/Elements/EditPassword
@@ -95,6 +95,14 @@
       <input type="password" class="form-control" name="<% $Name[2] %>" size="16" autocomplete="off" />
     </div>
   </div>
+  <div class="form-row">
+    <div class="label col-3">
+      <&|/l&>Password Status</&>:
+    </div>
+    <div class="value col-9 password-status-value">
+      <% $password_status %>
+    </div>
+  </div>
 % }
 % }
 % else {
@@ -125,6 +133,11 @@
 <td class="value"><input type="password" name="<% $Name[2] %>" size="16" autocomplete="off" /></td>
 </tr>
 
+<tr>
+<td class="label"><&|/l&>Password Status</&>:</td>
+<td class="value"><% $password_status %></td>
+</tr>
+
 </table>
 % }
 % }
@@ -136,4 +149,12 @@ $User
 
 my %cond = $User->CurrentUserRequireToSetPassword;
 
+# Does this user currently have a password?
+my $password_status;
+if ( $User->HasPassword ) {
+    $password_status = $User->loc('Password is set');
+}
+else {
+    $password_status = $User->loc('No password set');
+}
 </%INIT>
diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 1ad7522..3c45359 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -206,9 +206,10 @@ Setting this to false (0) requires a user to already have a password
 to use the reset feature. This is useful for managing access and
 not automatically allowing new accounts to get a password.
 
-This extension adds a "Delete password" option to the user admin
-page to allow you to clear passwords if a user should no longer have
-access.
+This extension adds a "Password Status" at the bottom of the Access control
+section on the user admin page which shows whether the user currently
+has a password set. The "Delete password" option allows you to clear
+passwords if a user should no longer have access.
 
 =item C<$CreateNewUserAsPrivileged>
 
diff --git a/static/css/resetpassword.css b/static/css/resetpassword.css
index ceb6c0a..6591973 100644
--- a/static/css/resetpassword.css
+++ b/static/css/resetpassword.css
@@ -29,3 +29,10 @@ body.elevator-dark .login-body div.form-row a.btn-primary {
     border-color: #717171 !important;
     color: #ededed !important;
 }
+
+/* The password status isn't a form input, so it doesn't pick
+   up the style from forms.css in RT which sets this top padding. */
+
+.password-status-value {
+    padding-top: 5px;
+}

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list