Skip to content

Commit

Permalink
Force password reset on next login after password is manually set
Browse files Browse the repository at this point in the history 
Squashed commit of the following:

commit a79ddf2
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Dec 29 14:30:46 2017 -0800

    Force cache reload validate JS

commit 3277cb6
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Dec 29 14:27:25 2017 -0800

    Force PW reset on batchcreateinstr

commit 2692d8a
Author: drlippman <drlippman@yahoo.com>
Date:   Fri Dec 29 14:23:04 2017 -0800

    Change language on PW reset to reflect PW is temporary

commit 61ee232
Author: drlippman <drlippman@yahoo.com>
Date:   Wed Dec 27 12:59:26 2017 -0800

    Feature to force password reset on first login after manual reset
  • Loading branch information
@drlippman
drlippman committed Jan 5, 2018
1 parent 8f9ad00 commit b5bd46e
Show file tree
Hide file tree
Showing 13 changed files with 65 additions and 62 deletions.
8 changes: 3 additions & 5 deletions actions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,7 @@
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
} else if ($_GET['action']=="chgpwd") {
} else if ($_GET['action']=="chgpwd" || $_GET['action']=="forcechgpwd") {
//DB $query = "SELECT password FROM imas_users WHERE id = '$userid'";
//DB $result = mysql_query($query) or die("Query failed : " . mysql_error());
//DB $line = mysql_fetch_array($result, MYSQL_ASSOC);
Expand All @@ -427,12 +427,10 @@
} else {
$newpw =md5($_POST['pw1']);
}
//DB $query = "UPDATE imas_users SET password='$md5pw' WHERE id='$userid'";
//DB mysql_query($query) or die("Query failed : " . mysql_error());
$stm = $DBH->prepare("UPDATE imas_users SET password=:newpw WHERE id=:uid LIMIT 1");
$stm = $DBH->prepare("UPDATE imas_users SET password=:newpw,forcepwreset=0 WHERE id=:uid LIMIT 1");
$stm->execute(array(':uid'=>$userid, ':newpw'=>$newpw));
} else {
echo "<html><body>Password change failed. <A HREF=\"forms.php?action=chgpwd$gb\">Try Again</a>\n";
echo "<html><body>Password change failed. <a href=\"forms.php?action=".Sanitize::simpleString($_GET['action']).$gb."\">Try Again</a>\n";
echo "</body></html>\n";
exit;
}
Expand Down
22 changes: 1 addition & 21 deletions admin/actions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@
$query .= ',SID=:SID';
}
if (isset($_POST['doresetpw'])) {
$query .= ',password=:password';
$query .= ',password=:password,forcepwreset=1';
}
$query .= " WHERE id=:id";
$stm = $DBH->prepare($query);
Expand Down Expand Up @@ -212,26 +212,6 @@
deletealluserfiles($_GET['id']);
//todo: delete courses if any
break;
case "chgpwd":
$stm = $DBH->prepare("SELECT password FROM imas_users WHERE id=:id");
$stm->execute(array(':id'=>$userid));
$line = $stm->fetch(PDO::FETCH_ASSOC);

if ((md5($_POST['oldpw'])==$line['password'] || (isset($CFG['GEN']['newpasswords']) && password_verify($_POST['oldpw'], $line['password'])) ) && ($_POST['newpw1'] == $_POST['newpw2'])) {
$md5pw =md5($_POST['newpw1']);
if (isset($CFG['GEN']['newpasswords'])) {
$md5pw = password_hash($_POST['newpw1'], PASSWORD_DEFAULT);
} else {
$md5pw = md5($_POST['newpw1']);
}
$stm = $DBH->prepare("UPDATE imas_users SET password=:password WHERE id=:id");
$stm->execute(array(':password'=>$md5pw, ':id'=>$userid));
} else {
echo "<HTML><body>Password change failed. <A HREF=\"forms.php?action=chgpwd\">Try Again</a>\n";
echo "</body></html>\n";
exit;
}
break;
case "newadmin":
if ($myrights < 75 && ($myspecialrights&16)!=16 && ($myspecialrights&32)!=32) { echo "You don't have the authority for this action"; break;}
if ($_POST['newrights']>$myrights) {
Expand Down
16 changes: 3 additions & 13 deletions admin/forms.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
//IMathAS: Admin forms
//(c) 2006 David Lippman
require("../init.php");
$placeinhead = '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead = '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
require("../header.php");
require("../includes/htmlutil.php");

Expand Down Expand Up @@ -68,16 +68,6 @@
echo "<input type=button value=\"Nevermind\" class=\"secondarybtn\" onclick=\"window.location='".Sanitize::encodeStringForJavascript($backloc)."'\"></p>\n";
echo '</form>';
break;
case "chgpwd":
echo '<div id="headerforms" class="pagetitle"><h2>Change Your Password</h2></div>';
echo "<form method=post action=\"actions.php?from=".Sanitize::encodeUrlParam($from)."\">\n";
echo '<input type=hidden name=action value="chgpwd" />';
echo "<span class=form>Enter old password:</span> <input class=form type=password name=oldpw size=40> <BR class=form>\n";
echo "<span class=form>Enter new password:</span> <input class=form type=password name=newpw1 size=40> <BR class=form>\n";
echo "<span class=form>Verify new password:</span> <input class=form type=password name=newpw2 size=40> <BR class=form>\n";
echo '<div class=submit><button type=submit name="action" value="chgpwd">'._('Save').'</button></div></form>';
break;

case "chgrights":
case "newadmin":
if ($myrights < 75 && ($myspecialrights&16)!=16 && ($myspecialrights&32)!=32) { echo "You don't have the authority for this action"; break;}
Expand Down Expand Up @@ -141,8 +131,8 @@ function onrightschg() {
if ($_GET['action'] == "newadmin") {
echo '<span class="form">Password:</span> <input class="form" type="text" size="40" name="pw1"/><br class="form"/>';
} else {
echo '<span class=form>Reset password?</span><span class=formright><input type=checkbox name="doresetpw" value="1" /> ';
echo 'Reset to: <input type=text size=20 name="newpassword" /></span><br class=form />';
echo '<span class=form>Reset password?</span><span class=formright><input type=checkbox name="doresetpw" value="1" onclick="$(\'#newpwwrap\').toggle(this.checked)"/> ';
echo '<span id="newpwwrap" style="display:none">Set temporary password to: <input type=text size=20 name="newpassword" /></span></span><br class=form />';
}
echo "<BR><span class=form><img src=\"$imasroot/img/help.gif\" alt=\"Help\" onClick=\"window.open('$imasroot/help.php?section=rights','help','top=0,width=400,height=500,scrollbars=1,left='+(screen.width-420))\"/> Set User rights to: </span> \n";
Expand Down
6 changes: 3 additions & 3 deletions admin/importstu.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ function parsecsv($data) {
//DB $query = "INSERT INTO imas_users (SID,FirstName,LastName,email,rights,password) VALUES ('$arr[0]','$arr[1]','$arr[2]','$arr[3]',10,'$pw')";
//DB mysql_query($query) or die("Query failed : " . mysql_error());
//DB $id = mysql_insert_id();
$stm = $DBH->prepare("INSERT INTO imas_users (SID,FirstName,LastName,email,rights,password) VALUES (:SID, :FirstName, :LastName, :email, :rights, :password)");
$stm = $DBH->prepare("INSERT INTO imas_users (SID,FirstName,LastName,email,rights,password,forcepwreset) VALUES (:SID, :FirstName, :LastName, :email, :rights, :password, 1)");
$stm->execute(array(':SID'=>$arr[0], ':FirstName'=>$arr[1], ':LastName'=>$arr[2], ':email'=>$arr[3], ':rights'=>10, ':password'=>$pw));
$id = $DBH->lastInsertId();
}
Expand Down Expand Up @@ -328,7 +328,7 @@ function parsecsv($data) {
?>
</tbody>
</table>

<?php
foreach($_POST as $k=>$v) {
echo "<input type=hidden name=\"" . Sanitize::encodeStringForDisplay($k) . "\" value=\"".Sanitize::encodeStringForDisplay($v)."\">\n";
Expand Down Expand Up @@ -384,7 +384,7 @@ function parsecsv($data) {
<input type=text name=unloc size=4 value="2"/>
</span><br class=form>

<span class=form>Password is in column:</span>
<span class=form>Temporary password is in column:</span>
<span class=formright>
<input type=text name="pwcol" size=4 value="1"/>
</span><br class=form>
Expand Down
4 changes: 2 additions & 2 deletions bltilaunch.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ function reporterror($err) {
//ask for student info
$flexwidth = true;
$nologo = true;
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
require("header.php");
if (isset($infoerr)) {
echo '<p class=noticetext>'.Sanitize::encodeStringForDisplay($infoerr).'</p>';
Expand Down Expand Up @@ -1782,7 +1782,7 @@ function findfolder($items,$n,$loc) {
//ask for student info
$nologo = true;
$flexwidth = true;
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
require("header.php");
if (isset($infoerr)) {
echo '<p class=noticetext>'.Sanitize::encodeStringForDisplay($infoerr).'</p>';
Expand Down
19 changes: 10 additions & 9 deletions course/listusers.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@
} elseif (isset($_GET['newstu']) && $CFG['GEN']['allowinstraddstus']) {
$curBreadcrumb .= " &gt; <a href=\"listusers.php?cid=$cid\">Roster</a> &gt; Enroll Students\n";
$pagetitle = "Enroll a New Student";
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';

if (isset($_POST['SID'])) {
require_once("../includes/newusercommon.php");
Expand All @@ -204,8 +204,8 @@
//DB $query .= "VALUES ('{$_POST['SID']}','$md5pw',10,'{$_POST['firstname']}','{$_POST['lastname']}','{$_POST['email']}',0);";
//DB mysql_query($query) or die("Query failed : " . mysql_error());
//DB $newuserid = mysql_insert_id();
$query = "INSERT INTO imas_users (SID, password, rights, FirstName, LastName, email, msgnotify) ";
$query .= "VALUES (:SID, :password, :rights, :FirstName, :LastName, :email, :msgnotify);";
$query = "INSERT INTO imas_users (SID, password, rights, FirstName, LastName, email, msgnotify, forcepwreset) ";
$query .= "VALUES (:SID, :password, :rights, :FirstName, :LastName, :email, :msgnotify, 1);";
$stm = $DBH->prepare($query);
$stm->execute(array(':SID'=>$_POST['SID'], ':password'=>$md5pw, ':rights'=>10,
':FirstName'=>$_POST['firstname'], ':LastName'=>$_POST['lastname'], ':email'=>$_POST['email'], ':msgnotify'=>0));
Expand Down Expand Up @@ -269,7 +269,7 @@
} elseif (isset($_GET['chgstuinfo'])) {
$curBreadcrumb .= " &gt; <a href=\"listusers.php?cid=$cid\">Roster</a> &gt; Change User Info\n";
$pagetitle = "Change Student Info";
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
require_once("../includes/newusercommon.php");

if (isset($_POST['firstname'])) {
Expand Down Expand Up @@ -321,7 +321,7 @@
$newpw = md5($_POST['pw1']);
}
//DB $query .= ",password='$newpw'";
$query .= ",password=:password";
$query .= ",password=:password,forcepwreset=1";
$qarr[':password'] = $newpw;
$msgout .= '<p>Password updated</p>';
}
Expand Down Expand Up @@ -731,14 +731,15 @@ function postRosterForm(uid,action) {
<span class=formright><input type="number" min="0.01" step="0.01" name="timelimitmult" value="<?php echo Sanitize::encodeStringForDisplay($lineStudent['timelimitmult']); ?>"/></span><br class=form>
<span class=form>LatePasses:</span>
<span class=formright><input type="number" min="0" name="latepasses" value="<?php echo Sanitize::encodeStringForDisplay($lineStudent['latepass']); ?>"/></span><br class=form>
<span class=form>Lock out of course?:</span>
<span class=form>Lock out of course?</span>
<span class=formright><input type="checkbox" name="locked" value="1" <?php if ($lineStudent['locked']>0) {echo ' checked="checked" ';} ?>/></span><br class=form>
<span class="form">Student has course hidden from course list?:</span>
<span class="form">Student has course hidden from course list?</span>
<span class="formright"><input type="checkbox" name="hidefromcourselist" value="1" <?php if ($lineStudent['hidefromcourselist']>0) {echo ' checked="checked" ';} ?>/></span><br class=form>
<span class=form><label for="doresetpw">Reset password?</label></span>
<span class=formright>
<input type=checkbox name="doresetpw" id="doresetpw" value="1" /> <label for="pw1">Reset to:</label>
<input type=text size=20 name="pw1" id="pw1" />
<input type=checkbox name="doresetpw" id="doresetpw" value="1" onclick="$('#newpwwrap').toggle(this.checked)" />
<span id="newpwwrap" style="display:none"><label for="pw1">Set temporary password to:</label>
<input type=text size=20 name="pw1" id="pw1" /></span>
</span><br class=form />
<div class=submit><input type=submit value="Update Info"></div>
</form>
Expand Down
2 changes: 1 addition & 1 deletion directaccess.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@
$challenge = base64_encode(microtime() . rand(0,9999));
$_SESSION['challenge'] = $challenge;
}
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
if (isset($CFG['locale'])) {
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jqvalidatei18n/messages_'.$CFG['locale'].'.min.js"></script>';
}
Expand Down
12 changes: 9 additions & 3 deletions forms.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
} else {
$gb = '';
}
$placeinhead = '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js"></script>';
$placeinhead = '<script type="text/javascript" src="'.$imasroot.'/javascript/jquery.validate.min.js?v=122917"></script>';
if (isset($CFG['locale'])) {
$placeinhead .= '<script type="text/javascript" src="'.$imasroot.'/javascript/jqvalidatei18n/messages_'.$CFG['locale'].'.min.js"></script>';
}
Expand Down Expand Up @@ -94,12 +94,18 @@
include($studentTOS);
}
break;
case "forcechgpwd":
case "chgpwd":
if ($gb == '') {
if ($gb == '' && $_GET['action']!='forcechgpwd') {
echo "<div class=breadcrumb><a href=\"index.php\">Home</a> &gt; Change Password</div>\n";
}
echo '<div id="headerforms" class="pagetitle"><h2>Change Your Password</h2></div>';
echo "<form id=\"pageform\" class=limitaftervalidate method=post action=\"actions.php?action=chgpwd$gb\">\n";
if ($_GET['action']=='forcechgpwd') {
echo '<p>'._('To ensure the security of your account, we are requiring a password change. Please select a new password.').'</p>';
echo "<form id=\"pageform\" class=limitaftervalidate method=post action=\"actions.php?action=forcechgpwd$gb\">\n";
} else {
echo "<form id=\"pageform\" class=limitaftervalidate method=post action=\"actions.php?action=chgpwd$gb\">\n";
}
echo "<span class=form><label for=\"oldpw\">Enter old password:</label></span> <input class=form type=password id=oldpw name=oldpw size=40 /> <BR class=form>\n";
echo "<span class=form><label for=\"pw1\">Enter new password:</label></span> <input class=form type=password id=pw1 name=pw1 size=40> <BR class=form>\n";
echo "<span class=form><label for=\"pw2\">Verify new password:</label></span> <input class=form type=password id=pw2 name=pw2 size=40> <BR class=form>\n";
Expand Down
5 changes: 4 additions & 1 deletion includes/newusercommon.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,13 @@ function showNewUserValidation($formname, $extrarequired=array(), $requiredrules
echo '"
},
pw1: {
required: '.(isset($requiredrules['pw1'])?$requiredrules['pw1']:'true').',';
required: '.(isset($requiredrules['pw1'])?$requiredrules['pw1']:'true').',';
if (isset($CFG['acct']['passwordFormat'])) {
echo 'pattern: '.$CFG['acct']['passwordFormat'].',';
}
if (in_array('oldpw', $extrarequired)) {
echo 'notEqual: "#oldpw",';
}
echo 'minlength: '.(isset($CFG['acct']['passwordMinlength'])?$CFG['acct']['passwordMinlength']:6).'
},
pw2: {
Expand Down
3 changes: 3 additions & 0 deletions javascript/jquery.validate.min.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions migrations/137_add_forcepwreset.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<?php

//Add jsondata field to imas_users
$DBH->beginTransaction();

$query = "ALTER TABLE `imas_users` ADD `forcepwreset` TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'";
$res = $DBH->query($query);
if ($res===false) {
echo "<p>Query failed: ($query) : " . $DBH->errorInfo() . "</p>";
$DBH->rollBack();
return false;
}

$DBH->commit();

echo "<p style='color: green;'>✓ Added forcepwreset field to imas_users</p>";

return true;
4 changes: 2 additions & 2 deletions util/batchcreateinstr.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
$hashpw = md5($data[1]);
}
echo "Importing ".Sanitize::encodeStringForDisplay($data[0])."<br/>";
$query = 'INSERT INTO imas_users (SID,password,FirstName,LastName,rights,email,groupid,homelayout) VALUES (:SID, :password, :FirstName, :LastName, :rights, :email, :groupid, :homelayout)';
$query = 'INSERT INTO imas_users (SID,password,FirstName,LastName,rights,email,groupid,homelayout,forcepwreset) VALUES (:SID, :password, :FirstName, :LastName, :rights, :email, :groupid, :homelayout, 1)';
$stm = $DBH->prepare($query);
$stm->execute(array(':SID'=>$data[0], ':password'=>$hashpw, ':FirstName'=>$data[2], ':LastName'=>$data[3],
':rights'=>40, ':email'=>$data[4], ':groupid'=>$newusergroupid, ':homelayout'=>$homelayout));
Expand Down Expand Up @@ -218,7 +218,7 @@
echo '<form enctype="multipart/form-data" method="post" action="'.$imasroot.'/util/batchcreateinstr.php">';
echo '<p>This page lets you create instructor accounts from a CSV, and copy courses for them if desired</p>';
echo '<p>Column Format:</p><ul>';
echo '<li>1) username</li><li>2) password</li><li>3) First Name</li>';
echo '<li>1) username</li><li>2) temporary password</li><li>3) First Name</li>';
echo '<li>4) Last Name</li><li>5) email</li>';
echo '<li>Columns 6,7,etc. can be course IDs to create copies of for that instructor</li></ul>';
if ($myrights == 100 || ($myspecialrights&32)==32) {
Expand Down
8 changes: 6 additions & 2 deletions validate.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,6 @@
$stm->execute(array(':lastaccess'=>$now, ':id'=>$userid));
}


if (!empty($_SERVER['QUERY_STRING'])) {
$querys = '?' . Sanitize::fullQueryString($_SERVER['QUERY_STRING']) . (isset($addtoquerystring) ? '&' . Sanitize::fullQueryString($addtoquerystring) : '');
} else {
Expand Down Expand Up @@ -326,7 +325,7 @@
//$username = $_COOKIE['username'];
$query = "SELECT SID,rights,groupid,LastName,FirstName,deflib";
if (strpos(basename($_SERVER['PHP_SELF']),'upgrade.php')===false) {
$query .= ',listperpage,hasuserimg,theme,specialrights,FCMtoken';
$query .= ',listperpage,hasuserimg,theme,specialrights,FCMtoken,forcepwreset';
}
//DB $query .= " FROM imas_users WHERE id='$userid'";
//DB $result = mysql_query($query) or die("Query failed : " . mysql_error());
Expand Down Expand Up @@ -359,6 +358,11 @@
if (isset($sessiondata['userprefs']['usertheme']) && strcmp($sessiondata['userprefs']['usertheme'],'0')!=0) {
$coursetheme = $sessiondata['userprefs']['usertheme'];
}

if (!empty($line['forcepwreset']) && (empty($_GET['action']) || $_GET['action']!='forcechgpwd') && (!isset($sessiondata['ltiitemtype']) || $sessiondata['ltirole']!='learner')) {
header('Location: ' . $GLOBALS['basesiteurl'] . '/forms.php?action=forcechgpwd');
exit;
}

$basephysicaldir = rtrim(dirname(__FILE__), '/\\');
if ($myrights==100 && (isset($_GET['debug']) || isset($sessiondata['debugmode']))) {
Expand Down

0 comments on commit b5bd46e

Please sign in to comment.