mirror of https://github.com/MISP/MISP
chg: Made the current password confirmation requirement for any user profile edits optional
- default setting is having it off - incredibly frustrating feature is now only enabled on demandpull/2412/head
parent
2e79d3f0f9
commit
cfcaf0d410
|
@ -86,16 +86,18 @@ class UsersController extends AppController {
|
|||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
$abortPost = false;
|
||||
if (!$this->_isRest()) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
}
|
||||
if (!$abortPost) {
|
||||
|
@ -132,16 +134,18 @@ class UsersController extends AppController {
|
|||
));
|
||||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
$abortPost = false;
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
if (!$abortPost) {
|
||||
// What fields should be saved (allowed to be saved)
|
||||
|
@ -538,7 +542,6 @@ class UsersController extends AppController {
|
|||
}
|
||||
$roles = $this->User->Role->find('list', $params);
|
||||
$syncRoles = $this->User->Role->find('list', array('conditions' => array('perm_sync' => 1), 'recursive' => -1));
|
||||
|
||||
$this->set('currentId', $id);
|
||||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
if (!isset($this->request->data['User'])) {
|
||||
|
@ -546,16 +549,19 @@ class UsersController extends AppController {
|
|||
}
|
||||
$abortPost = false;
|
||||
if (!$this->_isRest()) {
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
|
||||
if (!empty($this->request->data['User']['current_password'])) {
|
||||
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
|
||||
if (!$hashed) {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
unset($this->request->data['User']['current_password']);
|
||||
} else {
|
||||
$abortPost = true;
|
||||
$this->Session->setFlash('Please enter your current password to continue.');
|
||||
}
|
||||
}
|
||||
if (!$abortPost) {
|
||||
|
|
|
@ -951,6 +951,15 @@ class Server extends AppModel {
|
|||
'test' => 'testPasswordRegex',
|
||||
'type' => 'string',
|
||||
),
|
||||
'require_password_confirmation' => array(
|
||||
'level' => 1,
|
||||
'description' => 'Enabling this setting will require users to submit their current password on any edits to their profile (including a triggered password change). For administrators, the confirmation will be required when changing the profile of any user. Could potentially mitigate an attacker trying to change a compromised user\'s password in order to establish persistance, however, enabling this feature will be highly annoying to users.',
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true
|
||||
),
|
||||
'sanitise_attribute_on_delete' => array(
|
||||
'level' => 1,
|
||||
'description' => 'Enabling this setting will sanitise the contents of an attribute on a soft delete',
|
||||
|
|
|
@ -82,7 +82,9 @@
|
|||
<div style="border-bottom: 1px solid #e5e5e5;width:100%;"> </div>
|
||||
<div class="clear" style="margin-top:10px;">
|
||||
<?php
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
|
||||
}
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
|
|
|
@ -14,7 +14,9 @@
|
|||
<div style="border-bottom: 1px solid #e5e5e5;width:100%;"> </div>
|
||||
<div class="clear" style="margin-top:10px;">
|
||||
<?php
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
|
||||
}
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
|
|
|
@ -32,7 +32,9 @@
|
|||
<div style="border-bottom: 1px solid #e5e5e5;width:100%;"> </div>
|
||||
<div class="clear" style="margin-top:10px;">
|
||||
<?php
|
||||
if (Configure::read('Security.require_password_confirmation')) {
|
||||
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
|
||||
}
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
|
|
Loading…
Reference in New Issue