Fixes #3383 Handling password in user class

d5c3a0a1 · Côme Bernigaud · Benoit Mortier · 277158dd · d5c3a0a1 · d5c3a0a1
Commit d5c3a0a1 authored Sep 30, 2014 by Côme Bernigaud Committed by Benoit Mortier Sep 30, 2014
--- a/html/class_passwordRecovery.inc
+++ b/html/class_passwordRecovery.inc
@@ -604,11 +604,7 @@ class passwordRecovery {
      return;
    }

-    if ($this->method != "") {
-      change_password($dn, $_POST['new_password'], 0, $this->method);
-    } else {
-      change_password($dn, $_POST['new_password']);
-    }
+    change_password($dn, $_POST['new_password'], $this->method);
    fusiondirectory_log("User ".$this->uid." password has been changed");
    /* Send the mail */
    $mail_body = sprintf($this->mail2_body, $this->uid);

--- a/include/functions.inc
+++ b/include/functions.inc
@@ -2905,151 +2905,14 @@ function get_correct_class_name($cls)
 *
 * \return boolean TRUE on success FALSE on error
 */
-function change_password ($dn, $password, $mode = 0, $hash = "")
+function change_password ($dn, $password, $hash = "")
 {
  global $config;
-  $newpass = "";
-
-  /* Convert to lower. Methods are lowercase */
-  $hash = strtolower($hash);
-
-  // Get all available encryption Methods
-
-  // NON STATIC CALL :)
-  $methods = new passwordMethod($config, $dn);
-  $available = $methods->get_available_methods();
-
-  // read current password entry for $dn, to detect the encryption Method
-  $ldap = $config->get_ldap_link();
-  $ldap->cat($dn, array('shadowLastChange', 'userPassword', 'uid'));
-  $attrs = $ldap->fetch ();
-
-  /* Is ensure that clear passwords will stay clear */
-  if ($hash == '' && isset($attrs['userPassword'][0]) && !preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])) {
-    $hash = 'clear';
-  }
-
-  // Detect the encryption Method
-  if ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE') {
-    // if forcePasswordDefaultHash is TRUE we use the passwordDefaultHash
-    // hash and if it is not defined we use 'ssha' as default
-    $hash = $config->get_cfg_value('passwordDefaultHash', 'ssha');
-    $test = new $available[$hash]($config, $dn);
-  } elseif ((isset($attrs['userPassword'][0]) && preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])) || $hash != "") {
-
-    /* Check for supported algorithm */
-    mt_srand((double) microtime() * 1000000);
-
-    /* Extract used hash */
-    if ($hash == "") {
-      $test = passwordMethod::get_method($attrs['userPassword'][0], $dn);
-    } else {
-      $test = new $available[$hash]($config,$dn);
-      $test->set_hash($hash);
-    }
-
-  } else {
-    // Use SSHA by default
-    $hash = $config->get_cfg_value('passwordDefaultHash', 'ssha');
-    $test = new $available[$hash]($config, $dn);
-  }
-
-  if (!($test instanceOf passwordMethod)) {
-    return FALSE;
-  }
-
-  $deactivated = $test->is_locked($config, $dn);
-
-  /* Feed password backends with information */
-  $test->dn     = $dn;
-  $test->attrs  = $attrs;
-  $newpass      = $test->generate_hash($password);
-
-  // Update shadow timestamp?
-  if (isset($attrs['shadowLastChange'][0])) {
-    $shadow = (int)(date('U') / 86400);
-  } else {
-    $shadow = 0;
-  }
-
-  // Write back modified entry
-  $ldap->cd($dn);
-  $attrs = array();
-
-  // Not for groups
-  if ($mode == 0) {
-    if ($test->need_password()) {
-      // Create SMB Password
-      $attrs = generate_smb_nt_hash($password);
-    } else {
-      $attrs['sambaLMPassword']       = array();
-      $attrs['sambaNTPassword']       = array();
-      $attrs['sambaPwdLastSet']       = array();
-      $attrs['sambaBadPasswordCount'] = array();
-      $attrs['sambaBadPasswordTime']  = array();
-    }
-    if ($shadow != 0) {
-      $attrs['shadowLastChange'] = $shadow;
-    }
-  }
-
-  $attrs['userPassword'] = array();
-  $attrs['userPassword'] = $newpass;
-
-  $ldap->modify($attrs);
-
-  /* Read ! if user was deactivated */
-  if ($deactivated) {
-    $test->lock_account($config, $dn);
-  }
-
-  new log('modify', 'user/passwordMethod', $dn, array_keys($attrs), $ldap->get_error());
-
-  if (!$ldap->success()) {
-    msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD), LDAP_ERROR);
-  } else {
-
-    /* Run backend method for change/create */
-    if (!$test->set_password($password)) {
-      return FALSE;
-    }
-
-    /* Find postmodify entries for this class */
-    $command = $config->search('password', 'POSTMODIFY', array('menu', 'hooks'));
-
-    if ($command != '') {
-      /* Walk through attribute list */
-      $addAttrs = array(
-        'userPassword'  => escapeshellarg($password),
-        'dn'            => escapeshellarg($dn),
-        'passwordHash'  => $hash,
-      );
-      $addAttrsStars = array(
-        'userPassword'  => '******',
-        'dn'            => escapeshellarg($dn),
-        'passwordHash'  => $hash,
-      );
-      $commandHiddenPwd = plugin::tpl_parse_string($command, $addAttrsStars);
-      $command          = plugin::tpl_parse_string($command, $addAttrs);
-
-      @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, 'Execute');
-      exec($command, $arr, $returnCode);
-
-      if ($returnCode != 0) {
-        $str = implode("\n", $arr);
-        @DEBUG(DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $commandHiddenPwd, 'Execution failed code: '.$returnCode);
-        $message = msgPool::cmdexecfailed('POSTMODIFY', $commandHiddenPwd, 'password');
-        if (!empty($str)) {
-          $message .= 'Result: '.$str;
-        }
-        msg_dialog::display(_('Error'), $message, ERROR_DIALOG);
-      } elseif (is_array($arr)) {
-        $str = implode("\n", $arr);
-        @DEBUG(DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $commandHiddenPwd, 'Result: '.$str);
-      }
-    }
-  }
-  return TRUE;
+  $userTabs = objects::open($dn, 'user');
+  $userTab  = $userTabs->getBaseObject();
+  $userTab->userPassword = array($hash, $password, $password, $userTab->userPassword);
+  $userTabs->save_object();
+  $userTabs->save();
 }



--- a/plugins/config/class_configInLdap.inc
+++ b/plugins/config/class_configInLdap.inc
@@ -79,7 +79,6 @@ class configInLdap extends simplePlugin
      $plugins = array_keys(session::global_get('plist')->info);
    }
    sort($plugins);
-    array_unshift($plugins, 'password');
    return array(
      'look_n_feel' => array(
        'name'  => _('Look n feel'),

--- a/plugins/personal/generic/class_user.inc
+++ b/plugins/personal/generic/class_user.inc
@@ -385,25 +385,6 @@ class user extends simplePlugin
    return parent::execute();
  }

-  function prepare_save()
-  {
-    parent::prepare_save();
-    unset($this->attrs['userPassword']);
-  }
-
-  function ldap_save($cleanup = TRUE)
-  {
-    parent::ldap_save($cleanup);
-    if ($this->attributesAccess['userPassword']->attributes[1]->getValue() != '') {
-      change_password(
-        $this->dn,
-        $this->attributesAccess['userPassword']->attributes[1]->getValue(), /*password*/
-        0,
-        $this->attributesAccess['userPassword']->attributes[0]->getValue() /*hash*/
-      );
-    }
-  }
-
  function save()
  {
    parent::save();

--- a/plugins/personal/posix/class_posixAccount.inc
+++ b/plugins/personal/posix/class_posixAccount.inc
@@ -515,9 +515,12 @@ class posixAccount extends simplePlugin

    if ($this->mustchangepassword) {
      $this->shadowLastChange =
-        floor(date("U") / EpochDaysDateAttribute::$secondsPerDay) - $this->shadowMax - 1;
-    } elseif ($this->is_account && !$this->initially_was_account) {
-      $this->shadowLastChange = floor(date("U") / EpochDaysDateAttribute::$secondsPerDay);
+        floor(date('U') / EpochDaysDateAttribute::$secondsPerDay) - $this->shadowMax - 1;
+    } elseif (
+        ($this->is_account && !$this->initially_was_account) ||
+        $this->parent->getBaseObject()->attributesAccess['userPassword']->hasChanged()
+      ) {
+      $this->shadowLastChange = floor(date('U') / EpochDaysDateAttribute::$secondsPerDay);
    }

    $this->updateAttributesValues();