- Change the password expiry mechanism to always check

{$type}_password_expiry_days. This allows the $config variable to be updated and everyones password will expire based on the new value. To implement this, the password expiry column in the users table has been changed to passwordset, and a PHP script is used to convert the expiry dates to set dates (based on the _password_expiry_days) - Cleanup the password entry checking - Load all config variables for the db_update.php script. Just in case an update script wants access to $config
2007-12-21 08:38:13 +00:00 · 2007-12-21 08:38:13 +00:00 · 7f7c3c53e1
commit 7f7c3c53e1
parent a420a18143
7 changed files with 102 additions and 31 deletions
--- a/db/db.code.version.txt
+++ b/db/db.code.version.txt
@ -1 +1 @@
-86
+87
--- a/db/db.update.87.php
+++ b/db/db.update.87.php
@ -0,0 +1,47 @@
+<?
+function db_update_87_post()
+{
+	global $config;
+
+	$q = mysql_query("SELECT id,types,passwordset FROM users");
+	while($i = mysql_fetch_object($q)) {
+		$id = $i->id;
+		$types = explode(',', $i->types);
+		$expiry = $i->passwordset;
+
+		if($expiry == NULL) {
+			$newval = 'created';
+		} else if($expiry == '0000-00-00') {
+			$newval = false;
+		} else {
+			/* Find the expiry based on the type */
+			$longest_expiry = 0;
+			foreach($types as $t) {
+				$e = $config["{$t}_password_expiry_days"];
+				if($e == 0) {
+					/* Catch a never expire case. */
+					$longest_expiry = 0;
+					break;
+				} else if($e > $longest_expiry) {
+					$longest_expiry = $e;
+				}
+			}
+			if($longest_expiry == 0) {
+				/* Password never expires, set the password
+				 * set time to the creation time */
+				$newval = 'created';
+			} else {
+				/* Compute when the password was set */
+				$newval = date('Y-m-d',
+					strtotime("$expiry -$longest_expiry days"));
+				$newval = "'$newval'";
+			}
+		}
+		if($newval != false) {
+			$query = "UPDATE users SET passwordset=$newval WHERE id='$id'";
+			echo "$query\n";
+			mysql_query($query);
+		}
+	}
+}
+?>
--- a/db/db.update.87.sql
+++ b/db/db.update.87.sql
@ -0,0 +1,2 @@
+ALTER TABLE `users` CHANGE `passwordexpiry` `passwordset` DATE NULL DEFAULT NULL ;
+
--- a/db/db_update.php
+++ b/db/db_update.php
@ -34,7 +34,12 @@ if(!$dbdbversion)
 /* Get the fair year */
 $q=mysql_query("SELECT val FROM config WHERE var='FAIRYEAR' AND year='0'");
 $r=mysql_fetch_object($q);
-$fairyear=$r->val;
+$config = array('FAIRYEAR' => $r->val);
+
+/* Load config just in case there's a PHP script that wants it */
+$q=mysql_query("SELECT * FROM config WHERE year='{$config['FAIRYEAR']}'");
+while($r=mysql_fetch_object($q)) $config[$r->var]=$r->val;
+

 require_once("../config_editor.inc.php"); // For config_update_variables()

@ -90,13 +95,12 @@ if($dbcodeversion && $dbdbversion)
 		}
 		if($db_update_skip_variables != true) {
 			echo "\nUpdating Configuration Variables...\n";
-			config_update_variables($fairyear);
+			config_update_variables($config['FAIRYEAR']);
 		}

 		echo "\nAll done - updating new DB version to $dbcodeversion\n";
 		mysql_query("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'");

-
 	}

 }
--- a/user.inc.php
+++ b/user.inc.php
@ -336,7 +336,7 @@ function user_add_role_allowed($type, $u)
 function user_create($type, $u = NULL)
 {
 	if(!is_array($u)) {
-		mysql_query("INSERT INTO users (`types`,`passwordexpiry`,`created`) 
+		mysql_query("INSERT INTO users (`types`,`passwordset`,`created`) 
 				VALUES ('$type', '0000-00-00', NOW())");
 		$uid = mysql_insert_id();
 	} else {
--- a/user_login.php
+++ b/user_login.php
@ -143,17 +143,40 @@
 			$_SESSION['users_id']=$u['id'];
 			$_SESSION['users_type']=$type;

-			/* Check for an expired password */
-			if($u['passwordexpiry'] == NULL) {
-				unset($_SESSION['password_expired']);
-			} else {
-				$now = date('Y-m-d H:i:s');
-				if($now > $u['passwordexpiry']) {
-					$_SESSION['password_expired'] = true;
-					/* The main page (or any other user page) will catch this now and
-					 * require them to set a password */
+			/* Load the password expiry for each user type, and
+			 * find the longest expiry, which is the one we'll use
+			 * for this user to determine if the passwd has
+			 * expired. */
+			$longest_expiry = 0;
+			foreach($u['types'] as $t) {
+				$e = $config["{$t}_password_expiry_days"];
+				if($e == 0) {
+					/* Catch a never expire case. */
+					$longest_expiry = 0;
+					break;
+				} else if($e > $longest_expiry) {
+					$longest_expiry = $e;
 				}
 			}
+			if($u['passwordset'] == '0000-00-00') {
+				/* Force the password to expire */
+				$_SESSION['password_expired'] = true;
+			} else if($longest_expiry == 0) {
+				/* Never expires */
+				unset($_SESSION['password_expired']);
+			} else {
+				/* Check expiry */
+				$expires = date('Y-m-d', strtotime("{$u['passwordset']} +$longest_expiry days"));
+				$now = date('Y-m-d');
+				if($now > $expires) {
+					$_SESSION['password_expired'] = true;
+				} else {
+					unset($_SESSION['password_expired']);
+				}
+			}
+			/* If password_expired == true, the main page (or any
+			 * other user page) will catch this and require
+			 * them to set a password */

 			/* Call login functions for each type, so multirole
 			 * users can easily switch */
@ -272,16 +295,14 @@
 				exit;
 			}

-			$password = '';
-			$pchars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-			for($x=0;$x<12;$x++) $password .= $pchars{rand(0,61)};
+			$password = generatePassword(12);

 			/* Save their old password so it can be recovered if someone is just trying
 			 * to reset someones password */
 			mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");

 			/* Set the new password, and force it to expire  */
-			mysql_query("UPDATE users SET password='$password',passwordexpiry='0000-00-00' WHERE id={$r->id}");
+			mysql_query("UPDATE users SET password='$password',passwordset='0000-00-00' WHERE id={$r->id}");

 			/* volunteer_recover_password, judge_recover_password, student_recover_password,
 				committee_recover_password */
--- a/user_password.php
+++ b/user_password.php
@ -55,25 +55,22 @@

 if($_POST['action']=="save")
 {
+	$pass = mysql_escape_string($_POST['pass1']);
 	//first, lets see if they choosed the same password again (bad bad bad)
-	$q=mysql_query("SELECT password FROM users WHERE id='".$_SESSION['users_id']."' AND password='".$_POST['pass1']."'");
+	$q=mysql_query("SELECT password FROM users WHERE 
+				id='{$_SESSION['users_id']}' 
+				AND password='$pass'");

 	if(mysql_num_rows($q)) $notice = 'same';
 	else if(!$_POST['pass1']) $notice = 'passwordrequired';
 	else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch';
 	else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars';
-	else
-	{
-		if($password_expiry_days > 0)
-			$ex="passwordexpiry=DATE_ADD(CURDATE(),INTERVAL $password_expiry_days DAY)";
-		else
-			$ex="passwordexpiry=NULL";
-
-		mysql_query("UPDATE users SET password='".$_POST['pass1']."', $ex WHERE id='".$_SESSION['users_id']."' AND email='".$_SESSION['email']."'");
-		if($_SESSION['password_expired'])
-		{
-			unset($_SESSION['password_expired']);
-		}
+	else {
+		mysql_query("UPDATE users SET 
+					password='$pass', 
+					passwordset=NOW()
+				WHERE id='{$_SESSION['users_id']}'");
+		unset($_SESSION['password_expired']);

 		header("location: $back_link?notice=password_changed");
 		exit;
				`@ -0,0 +1,2 @@`
				ALTER TABLE `users` CHANGE `passwordexpiry` `passwordset` DATE NULL DEFAULT NULL ;