MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: Made the current password confirmation requirement for any user profile edits optional 

- default setting is having it off
- incredibly frustrating feature is now only enabled on demand
pull/2412/head
iglocska 2017-08-18 09:05:20 +02:00
parent 2e79d3f0f9
commit cfcaf0d410
5 changed files with 46 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
app/Controller/UsersController.php
View File

@ -86,16 +86,18 @@ class UsersController extends AppController {
if ($this->request->is('post') || $this->request->is('put')) {
$abortPost = false;
if (!$this->_isRest()) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
$this->Session->setFlash('Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Please enter your current password to continue.');
}
}
if (!$abortPost) {
@ -132,16 +134,18 @@ class UsersController extends AppController {
));
if ($this->request->is('post') || $this->request->is('put')) {
$abortPost = false;
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
$this->Session->setFlash('Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Please enter your current password to continue.');
}
if (!$abortPost) {
// What fields should be saved (allowed to be saved)
@ -538,7 +542,6 @@ class UsersController extends AppController {
}
$roles = $this->User->Role->find('list', $params);
$syncRoles = $this->User->Role->find('list', array('conditions' => array('perm_sync' => 1), 'recursive' => -1));
$this->set('currentId', $id);
if ($this->request->is('post') || $this->request->is('put')) {
if (!isset($this->request->data['User'])) {
@ -546,16 +549,19 @@ class UsersController extends AppController {
}
$abortPost = false;
if (!$this->_isRest()) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
if (!$hashed) {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Invalid password. Please enter your current password to continue.');
$this->Session->setFlash('Please enter your current password to continue.');
}
unset($this->request->data['User']['current_password']);
} else {
$abortPost = true;
$this->Session->setFlash('Please enter your current password to continue.');
}
}
if (!$abortPost) {

9
app/Model/Server.php
View File

@ -951,6 +951,15 @@ class Server extends AppModel {
'test' => 'testPasswordRegex',
'type' => 'string',
),
'require_password_confirmation' => array(
'level' => 1,
'description' => 'Enabling this setting will require users to submit their current password on any edits to their profile (including a triggered password change). For administrators, the confirmation will be required when changing the profile of any user. Could potentially mitigate an attacker trying to change a compromised user\'s password in order to establish persistance, however, enabling this feature will be highly annoying to users.',
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true
),
'sanitise_attribute_on_delete' => array(
'level' => 1,
'description' => 'Enabling this setting will sanitise the contents of an attribute on a soft delete',

2
app/View/Users/admin_edit.ctp
View File

@ -82,7 +82,9 @@
<div style="border-bottom: 1px solid #e5e5e5;width:100%;">&nbsp;</div>
<div class="clear" style="margin-top:10px;">
<?php
if (Configure::read('Security.require_password_confirmation')) {
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
}
?>
</div>
<?php

2
app/View/Users/change_pw.ctp
View File

@ -14,7 +14,9 @@
<div style="border-bottom: 1px solid #e5e5e5;width:100%;">&nbsp;</div>
<div class="clear" style="margin-top:10px;">
<?php
if (Configure::read('Security.require_password_confirmation')) {
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
}
?>
</div>
<?php

2
app/View/Users/edit.ctp
View File

@ -32,7 +32,9 @@
<div style="border-bottom: 1px solid #e5e5e5;width:100%;">&nbsp;</div>
<div class="clear" style="margin-top:10px;">
<?php
if (Configure::read('Security.require_password_confirmation')) {
echo $this->Form->input('current_password', array('type' => 'password', 'div' => false, 'class' => 'input password required', 'label' => 'Confirm with your current password'));
}
?>
</div>
<?php