revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 17:32:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php

172 lines
4.7 KiB
PHP
Raw Normal View History

Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
<?php
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
final class PhabricatorSettingsPanelPassword
extends PhabricatorSettingsPanel {
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
public function getPanelKey() {
return 'password';
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
public function getPanelName() {
return pht('Password');
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
public function getPanelGroup() {
return pht('Authentication');
}
public function isEnabled() {
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
// There's no sense in showing a change password panel if the user
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
// can't change their password...
if (!PhabricatorEnv::getEnvConfig('account.editable')) {
return false;
}
// ...or this install doesn't support password authentication at all.
Provide contextual help on auth provider configuration Summary: Ref T1536. - Move all the provider-specific help into contextual help in Auth. - This provides help much more contextually, and we can just tell the user the right values to use to configure things. - Rewrite account/registration help to reflect the newer state of the word. - Also clean up a few other loose ends. Test Plan: {F46937} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6247
2013-06-20 20:18:48 +02:00
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
return false;
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
return true;
}
public function processRequest(AphrontRequest $request) {
$user = $request->getUser();
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
$min_len = (int)$min_len;
// NOTE: To change your password, you need to prove you own the account,
// either by providing the old password or by carrying a token to
// the workflow from a password reset email.
$token = $request->getStr('token');
Allow users to have multiple email addresses, and verify emails Summary: - Move email to a separate table. - Migrate existing email to new storage. - Allow users to add and remove email addresses. - Allow users to verify email addresses. - Allow users to change their primary email address. - Convert all the registration/reset/login code to understand these changes. - There are a few security considerations here but I think I've addressed them. Principally, it is important to never let a user acquire a verified email address they don't actually own. We ensure this by tightening the scoping of token generation rules to be (user, email) specific. - This should have essentially zero impact on Facebook, but may require some minor changes in the registration code -- I don't exactly remember how it is set up. Not included here (next steps): - Allow configuration to restrict email to certain domains. - Allow configuration to require validated email. Test Plan: This is a fairly extensive, difficult-to-test change. - From "Email Addresses" interface: - Added new email (verified email verifications sent). - Changed primary email (verified old/new notificactions sent). - Resent verification emails (verified they sent). - Removed email. - Tried to add already-owned email. - Created new users with "accountadmin". Edited existing users with "accountadmin". - Created new users with "add_user.php". - Created new users with web interface. - Clicked welcome email link, verified it verified email. - Reset password. - Linked/unlinked oauth accounts. - Logged in with oauth account. - Logged in with email. - Registered with Oauth account. - Tried to register with OAuth account with duplicate email. - Verified errors for email verification with bad tokens, etc. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2393
2012-05-07 19:29:33 +02:00
$valid_token = false;
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
if ($token) {
Allow users to have multiple email addresses, and verify emails Summary: - Move email to a separate table. - Migrate existing email to new storage. - Allow users to add and remove email addresses. - Allow users to verify email addresses. - Allow users to change their primary email address. - Convert all the registration/reset/login code to understand these changes. - There are a few security considerations here but I think I've addressed them. Principally, it is important to never let a user acquire a verified email address they don't actually own. We ensure this by tightening the scoping of token generation rules to be (user, email) specific. - This should have essentially zero impact on Facebook, but may require some minor changes in the registration code -- I don't exactly remember how it is set up. Not included here (next steps): - Allow configuration to restrict email to certain domains. - Allow configuration to require validated email. Test Plan: This is a fairly extensive, difficult-to-test change. - From "Email Addresses" interface: - Added new email (verified email verifications sent). - Changed primary email (verified old/new notificactions sent). - Resent verification emails (verified they sent). - Removed email. - Tried to add already-owned email. - Created new users with "accountadmin". Edited existing users with "accountadmin". - Created new users with "add_user.php". - Created new users with web interface. - Clicked welcome email link, verified it verified email. - Reset password. - Linked/unlinked oauth accounts. - Logged in with oauth account. - Logged in with email. - Registered with Oauth account. - Tried to register with OAuth account with duplicate email. - Verified errors for email verification with bad tokens, etc. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2393
2012-05-07 19:29:33 +02:00
$email_address = $request->getStr('email');
$email = id(new PhabricatorUserEmail())->loadOneWhere(
'address = %s',
$email_address);
if ($email) {
$valid_token = $user->validateEmailToken($email, $token);
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
$e_old = true;
$e_new = true;
$e_conf = true;
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$errors = array();
if ($request->isFormPost()) {
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
if (!$valid_token) {
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
$envelope = new PhutilOpaqueEnvelope($request->getStr('old_pw'));
if (!$user->comparePassword($envelope)) {
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$errors[] = pht('The old password you entered is incorrect.');
$e_old = pht('Invalid');
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
}
$pass = $request->getStr('new_pw');
$conf = $request->getStr('conf_pw');
if (strlen($pass) < $min_len) {
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$errors[] = pht('Your new password is too short.');
$e_new = pht('Too Short');
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
if ($pass !== $conf) {
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$errors[] = pht('New password and confirmation do not match.');
$e_conf = pht('Invalid');
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
if (!$errors) {
// This write is unguarded because the CSRF token has already
// been checked in the call to $request->isFormPost() and
// the CSRF token depends on the password hash, so when it
// is changed here the CSRF token check will fail.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
$envelope = new PhutilOpaqueEnvelope($pass);
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
id(new PhabricatorUserEditor())
->setActor($user)
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
->changePassword($user, $envelope);
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
unset($unguarded);
if ($valid_token) {
// If this is a password set/reset, kick the user to the home page
// after we update their account.
$next = '/';
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
} else {
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
$next = $this->getPanelURI('?saved=true');
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
return id(new AphrontRedirectResponse())->setURI($next);
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
}
$notice = null;
if (!$errors) {
if ($request->getStr('saved')) {
$notice = new AphrontErrorView();
$notice->setSeverity(AphrontErrorView::SEVERITY_NOTICE);
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$notice->setTitle(pht('Changes Saved'));
Convert AphrontErrorView to safe HTML Summary: Done by searching for `AphrontErrorView` and then `appendChild()`. Test Plan: Looked at Commit Detail. Looked at Revision Detail. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2432 Differential Revision: https://secure.phabricator.com/D4843
2013-02-07 01:53:49 +01:00
$notice->appendChild(
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
phutil_tag('p', array(), pht('Your password has been updated.')));
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
} else {
$notice = new AphrontErrorView();
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$notice->setTitle(pht('Error Changing Password'));
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$notice->setErrors($errors);
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$len_caption = null;
if ($min_len) {
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
$len_caption = pht('Minimum password length: %d characters.', $min_len);
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$form = new AphrontFormView();
$form
->setUser($user)
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->addHiddenInput('token', $token);
if (!$valid_token) {
$form->appendChild(
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
id(new AphrontFormPasswordControl())
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
->setLabel(pht('Old Password'))
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setError($e_old)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('old_pw'));
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$form
->appendChild(
id(new AphrontFormPasswordControl())
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
->setLabel(pht('New Password'))
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setError($e_new)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('new_pw'));
$form
->appendChild(
id(new AphrontFormPasswordControl())
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
->setLabel(pht('Confirm Password'))
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setCaption($len_caption)
->setError($e_conf)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('conf_pw'));
$form
->appendChild(
id(new AphrontFormSubmitControl())
pht() for Settings Test Plan: did a run with ALL CAPS through `/settings/` and subpages. This includes changing (and forgetting) my password. Did not test the following: - LDAP Reviewers: epriestley, btrahan, chad Reviewed By: chad CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5174
2013-03-03 15:52:42 +01:00
->setValue(pht('Save')));
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
Move PHUIFormBoxView to PHUIObjectBoxView Summary: I'd like to reuse this for other content areas, renaming for now. This might be weird to keep setForm, but I can fix that later if we need. Test Plan: reload a few forms in maniphest, projects, differential Reviewers: epriestley, btrahan Reviewed By: epriestley CC: Korvin, aran Differential Revision: https://secure.phabricator.com/D7120
2013-09-25 20:23:29 +02:00
$form_box = id(new PHUIObjectBoxView())
Fix header of "Change Password" form Summary: Fixes T4025. Test Plan: {F74873} Reviewers: btrahan, chad Reviewed By: chad CC: aran Maniphest Tasks: T4025 Differential Revision: https://secure.phabricator.com/D7395
2013-10-25 17:57:35 +02:00
->setHeaderText(pht('Change Password'))
Update Form Layouts Summary: This attempts some consistency in form layouts. Notably, they all now contain headers and are 16px off the sides and tops of pages. Also updated dialogs to the same look and feel. I think I got 98% of forms with this pass, but it's likely I missed some buried somewhere. TODO: will take another pass as consolidating these colors and new gradients in another diff. Test Plan: Played in my sandbox all week. Please play with it too and let me know how they feel. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: Korvin, aran Differential Revision: https://secure.phabricator.com/D6806
2013-08-26 20:53:11 +02:00
->setFormError($notice)
->setForm($form);
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
return array(
Update Form Layouts Summary: This attempts some consistency in form layouts. Notably, they all now contain headers and are 16px off the sides and tops of pages. Also updated dialogs to the same look and feel. I think I got 98% of forms with this pass, but it's likely I missed some buried somewhere. TODO: will take another pass as consolidating these colors and new gradients in another diff. Test Plan: Played in my sandbox all week. Please play with it too and let me know how they feel. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: Korvin, aran Differential Revision: https://secure.phabricator.com/D6806
2013-08-26 20:53:11 +02:00
$form_box,
Make settings panels more modular and modern Summary: Currently, we have a hard-coded list of settings panels. Make them a bit more modular. - Allow new settings panels to be defined by third-party code (see {D2340}, for example -- @ptarjan). - This makes the OAuth stuff more flexible for {T887} / {T1536}. - Reduce the number of hard-coded URIs in various places. Test Plan: Viewed / edited every option in every panel. Grepped for all references to these URIs. Reviewers: btrahan, vrana, ptarjan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3257
2012-08-13 21:37:26 +02:00
);
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
}
Copy permalink