Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
<?php
|
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
final class PhabricatorSettingsPanelPassword
|
|
|
|
extends PhabricatorSettingsPanel {
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
public function getPanelKey() {
|
|
|
|
return 'password';
|
|
|
|
}
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
public function getPanelName() {
|
|
|
|
return pht('Password');
|
|
|
|
}
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
public function getPanelGroup() {
|
|
|
|
return pht('Authentication');
|
|
|
|
}
|
|
|
|
|
|
|
|
public function isEnabled() {
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
// There's no sense in showing a change password panel if the user
|
2012-08-13 21:37:26 +02:00
|
|
|
// can't change their password...
|
|
|
|
|
|
|
|
if (!PhabricatorEnv::getEnvConfig('account.editable')) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// ...or this install doesn't support password authentication at all.
|
|
|
|
|
2013-06-20 20:18:48 +02:00
|
|
|
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
|
2012-08-13 21:37:26 +02:00
|
|
|
return false;
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
}
|
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function processRequest(AphrontRequest $request) {
|
|
|
|
$user = $request->getUser();
|
|
|
|
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
|
|
|
|
$min_len = (int)$min_len;
|
|
|
|
|
|
|
|
// NOTE: To change your password, you need to prove you own the account,
|
|
|
|
// either by providing the old password or by carrying a token to
|
|
|
|
// the workflow from a password reset email.
|
|
|
|
|
|
|
|
$token = $request->getStr('token');
|
2012-05-07 19:29:33 +02:00
|
|
|
|
|
|
|
$valid_token = false;
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
if ($token) {
|
2012-05-07 19:29:33 +02:00
|
|
|
$email_address = $request->getStr('email');
|
|
|
|
$email = id(new PhabricatorUserEmail())->loadOneWhere(
|
|
|
|
'address = %s',
|
|
|
|
$email_address);
|
|
|
|
if ($email) {
|
|
|
|
$valid_token = $user->validateEmailToken($email, $token);
|
|
|
|
}
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
$e_old = true;
|
|
|
|
$e_new = true;
|
|
|
|
$e_conf = true;
|
|
|
|
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
$errors = array();
|
|
|
|
if ($request->isFormPost()) {
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
if (!$valid_token) {
|
2012-07-17 21:06:33 +02:00
|
|
|
$envelope = new PhutilOpaqueEnvelope($request->getStr('old_pw'));
|
|
|
|
if (!$user->comparePassword($envelope)) {
|
2013-03-03 15:52:42 +01:00
|
|
|
$errors[] = pht('The old password you entered is incorrect.');
|
|
|
|
$e_old = pht('Invalid');
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$pass = $request->getStr('new_pw');
|
|
|
|
$conf = $request->getStr('conf_pw');
|
|
|
|
|
|
|
|
if (strlen($pass) < $min_len) {
|
2013-03-03 15:52:42 +01:00
|
|
|
$errors[] = pht('Your new password is too short.');
|
|
|
|
$e_new = pht('Too Short');
|
2014-01-23 23:01:18 +01:00
|
|
|
} else if ($pass !== $conf) {
|
2013-03-03 15:52:42 +01:00
|
|
|
$errors[] = pht('New password and confirmation do not match.');
|
|
|
|
$e_conf = pht('Invalid');
|
2014-01-23 23:01:18 +01:00
|
|
|
} else if (PhabricatorCommonPasswords::isCommonPassword($pass)) {
|
|
|
|
$e_new = pht('Very Weak');
|
|
|
|
$e_conf = pht('Very Weak');
|
|
|
|
$errors[] = pht(
|
|
|
|
'Your new password is very weak: it is one of the most common '.
|
|
|
|
'passwords in use. Choose a stronger password.');
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!$errors) {
|
|
|
|
// This write is unguarded because the CSRF token has already
|
|
|
|
// been checked in the call to $request->isFormPost() and
|
|
|
|
// the CSRF token depends on the password hash, so when it
|
|
|
|
// is changed here the CSRF token check will fail.
|
|
|
|
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
2012-05-25 16:30:44 +02:00
|
|
|
|
2012-07-17 21:06:33 +02:00
|
|
|
$envelope = new PhutilOpaqueEnvelope($pass);
|
2012-05-25 16:30:44 +02:00
|
|
|
id(new PhabricatorUserEditor())
|
|
|
|
->setActor($user)
|
2012-07-17 21:06:33 +02:00
|
|
|
->changePassword($user, $envelope);
|
2012-05-25 16:30:44 +02:00
|
|
|
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
unset($unguarded);
|
|
|
|
|
|
|
|
if ($valid_token) {
|
|
|
|
// If this is a password set/reset, kick the user to the home page
|
|
|
|
// after we update their account.
|
|
|
|
$next = '/';
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
} else {
|
2012-08-13 21:37:26 +02:00
|
|
|
$next = $this->getPanelURI('?saved=true');
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
}
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
|
|
|
|
return id(new AphrontRedirectResponse())->setURI($next);
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-02-18 20:03:56 +01:00
|
|
|
$hash_envelope = new PhutilOpaqueEnvelope($user->getPasswordHash());
|
|
|
|
if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
|
|
|
|
$errors[] = pht(
|
|
|
|
'The strength of your stored password hash can be upgraded. '.
|
|
|
|
'To upgrade, either: log out and log in using your password; or '.
|
|
|
|
'change your password.');
|
|
|
|
}
|
|
|
|
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
$len_caption = null;
|
|
|
|
if ($min_len) {
|
2013-03-03 15:52:42 +01:00
|
|
|
$len_caption = pht('Minimum password length: %d characters.', $min_len);
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
}
|
|
|
|
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
$form = new AphrontFormView();
|
|
|
|
$form
|
|
|
|
->setUser($user)
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
->addHiddenInput('token', $token);
|
|
|
|
|
|
|
|
if (!$valid_token) {
|
|
|
|
$form->appendChild(
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
id(new AphrontFormPasswordControl())
|
2013-03-03 15:52:42 +01:00
|
|
|
->setLabel(pht('Old Password'))
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
->setError($e_old)
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
->setName('old_pw'));
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
}
|
|
|
|
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
$form
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormPasswordControl())
|
2013-03-03 15:52:42 +01:00
|
|
|
->setLabel(pht('New Password'))
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
->setError($e_new)
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
->setName('new_pw'));
|
|
|
|
$form
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormPasswordControl())
|
2013-03-03 15:52:42 +01:00
|
|
|
->setLabel(pht('Confirm Password'))
|
Allow configuration of a minimum password length, unify password reset
interfaces
Summary:
- We have a hard-coded minimum length of 3 right now (and 1 in the other
interface), which is sort of silly.
- Provide a more reasonable default, and allow it to be configured.
- We have two password reset interfaces, one of which no longer actually
requires you to verify you own the account. This is more than a bit derp.
- Merge the interfaces into one, using either an email token or the account's
current password to let you change the password.
Test Plan:
- Reset password on an account.
- Changed password on an account.
- Created a new account, logged in, set the password.
- Tried to set a too-short password, got an error.
Reviewers: btrahan, jungejason, nh
Reviewed By: jungejason
CC: aran, jungejason
Maniphest Tasks: T766
Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
|
|
|
->setCaption($len_caption)
|
|
|
|
->setError($e_conf)
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
->setName('conf_pw'));
|
|
|
|
$form
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormSubmitControl())
|
2014-02-18 20:03:56 +01:00
|
|
|
->setValue(pht('Change Password')));
|
|
|
|
|
|
|
|
$form->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel(pht('Current Algorithm'))
|
2014-02-18 21:18:04 +01:00
|
|
|
->setValue(PhabricatorPasswordHasher::getCurrentAlgorithmName(
|
|
|
|
new PhutilOpaqueEnvelope($user->getPasswordHash()))));
|
2014-02-18 20:03:56 +01:00
|
|
|
|
|
|
|
$form->appendChild(
|
|
|
|
id(new AphrontFormStaticControl())
|
|
|
|
->setLabel(pht('Best Available Algorithm'))
|
2014-02-18 21:18:04 +01:00
|
|
|
->setValue(PhabricatorPasswordHasher::getBestAlgorithmName()));
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
|
2013-09-25 20:23:29 +02:00
|
|
|
$form_box = id(new PHUIObjectBoxView())
|
2013-10-25 17:57:35 +02:00
|
|
|
->setHeaderText(pht('Change Password'))
|
2014-01-10 18:17:37 +01:00
|
|
|
->setFormSaved($request->getStr('saved'))
|
|
|
|
->setFormErrors($errors)
|
2013-08-26 20:53:11 +02:00
|
|
|
->setForm($form);
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
|
2012-08-13 21:37:26 +02:00
|
|
|
return array(
|
2013-08-26 20:53:11 +02:00
|
|
|
$form_box,
|
2012-08-13 21:37:26 +02:00
|
|
|
);
|
Add change password settings panel
Summary:
In password-based auth environments, there is now a user settings
panel to allow them to change their password.
Test Plan:
Click settings, choose password from the left:
* enter current password, new password (twice), log out, and log in with
new password
* enter current password, non-matching passwords, and get error
* enter invalid old password, and get error
* use firebug to change csrf token and verify that it does not save with
and invalid token
Changed config to disable password auth, loaded settings panel and saw
that password was no longer visible. Tried loading the panel anyway and
got redirected.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: 890
2011-09-04 10:53:58 +02:00
|
|
|
}
|
|
|
|
}
|