[Rt-commit] rt branch, 5.0/disable-password-option-for-authtoken, created. rt-5.0.0beta2-1-g264f3ddda7

Aaron Trevena ast at bestpractical.com
Wed Jun 24 05:05:25 EDT 2020


The branch, 5.0/disable-password-option-for-authtoken has been created
        at  264f3ddda79092bf030cd152db6d7fb473cfb602 (commit)

- Log -----------------------------------------------------------------
commit 264f3ddda79092bf030cd152db6d7fb473cfb602
Author: Aaron Trevena <ast at bestpractical.com>
Date:   Wed Jun 24 10:00:30 2020 +0100

    Add config option to disable password for auth tokens
    
    Added and documented new configuration option to not require a password
    when adding a new auth token, this solves problems with requiring a password
    in a hybrid RT where both external and local accounts are used.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..0f6f77baac 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
 
     SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
 
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create or edit tokens with the following line
+in /opt/rt4/etc/RT_SiteConfig.pm :
+
+   Set($DisablePasswordForAuthToken, 1);
+
+
 You can find more information about tokens in L<RT::Authen::Token>.
 
 =head1 External Authentication
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ce7c78f679..b8bd1c52ac 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5001,15 +5001,20 @@ sub ProcessAuthToken {
     if ( $args_ref->{Create} ) {
 
         # Don't require password for systems with some form of federated auth
+        # or if configured to not require a password
         my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+        my $require_password = 1;
+        if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+            $require_password = 0;
+        }
 
         if ( !length( $args_ref->{Description} ) ) {
             push @results, loc("Description cannot be blank.");
         }
-        elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !length( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password.");
         }
-        elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password correctly.");
         }
         else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
       <div class="modal-body">
         <form method="POST">
           <input type="hidden" name="Owner" value="<% $Owner %>">
-%         if ( $res{'CanSet'} ){
+%         if ( $require_password ){
           <div class="form-row">
             <div class="label col-4">
               <&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
 </div>
 
 <%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
 my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+   $require_password = 0;
+}
 </%INIT>
 
 <%ARGS>

-----------------------------------------------------------------------


More information about the rt-commit mailing list