forked from science-ation/science-ation
- Change the password expiry mechanism to always check
{$type}_password_expiry_days. This allows the $config variable to be updated and everyones password will expire based on the new value. To implement this, the password expiry column in the users table has been changed to passwordset, and a PHP script is used to convert the expiry dates to set dates (based on the _password_expiry_days) - Cleanup the password entry checking - Load all config variables for the db_update.php script. Just in case an update script wants access to $config
This commit is contained in:
parent
a420a18143
commit
7f7c3c53e1
@ -1 +1 @@
|
|||||||
86
|
87
|
||||||
|
47
db/db.update.87.php
Normal file
47
db/db.update.87.php
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
<?
|
||||||
|
function db_update_87_post()
|
||||||
|
{
|
||||||
|
global $config;
|
||||||
|
|
||||||
|
$q = mysql_query("SELECT id,types,passwordset FROM users");
|
||||||
|
while($i = mysql_fetch_object($q)) {
|
||||||
|
$id = $i->id;
|
||||||
|
$types = explode(',', $i->types);
|
||||||
|
$expiry = $i->passwordset;
|
||||||
|
|
||||||
|
if($expiry == NULL) {
|
||||||
|
$newval = 'created';
|
||||||
|
} else if($expiry == '0000-00-00') {
|
||||||
|
$newval = false;
|
||||||
|
} else {
|
||||||
|
/* Find the expiry based on the type */
|
||||||
|
$longest_expiry = 0;
|
||||||
|
foreach($types as $t) {
|
||||||
|
$e = $config["{$t}_password_expiry_days"];
|
||||||
|
if($e == 0) {
|
||||||
|
/* Catch a never expire case. */
|
||||||
|
$longest_expiry = 0;
|
||||||
|
break;
|
||||||
|
} else if($e > $longest_expiry) {
|
||||||
|
$longest_expiry = $e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if($longest_expiry == 0) {
|
||||||
|
/* Password never expires, set the password
|
||||||
|
* set time to the creation time */
|
||||||
|
$newval = 'created';
|
||||||
|
} else {
|
||||||
|
/* Compute when the password was set */
|
||||||
|
$newval = date('Y-m-d',
|
||||||
|
strtotime("$expiry -$longest_expiry days"));
|
||||||
|
$newval = "'$newval'";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if($newval != false) {
|
||||||
|
$query = "UPDATE users SET passwordset=$newval WHERE id='$id'";
|
||||||
|
echo "$query\n";
|
||||||
|
mysql_query($query);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
?>
|
2
db/db.update.87.sql
Normal file
2
db/db.update.87.sql
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
ALTER TABLE `users` CHANGE `passwordexpiry` `passwordset` DATE NULL DEFAULT NULL ;
|
||||||
|
|
@ -34,7 +34,12 @@ if(!$dbdbversion)
|
|||||||
/* Get the fair year */
|
/* Get the fair year */
|
||||||
$q=mysql_query("SELECT val FROM config WHERE var='FAIRYEAR' AND year='0'");
|
$q=mysql_query("SELECT val FROM config WHERE var='FAIRYEAR' AND year='0'");
|
||||||
$r=mysql_fetch_object($q);
|
$r=mysql_fetch_object($q);
|
||||||
$fairyear=$r->val;
|
$config = array('FAIRYEAR' => $r->val);
|
||||||
|
|
||||||
|
/* Load config just in case there's a PHP script that wants it */
|
||||||
|
$q=mysql_query("SELECT * FROM config WHERE year='{$config['FAIRYEAR']}'");
|
||||||
|
while($r=mysql_fetch_object($q)) $config[$r->var]=$r->val;
|
||||||
|
|
||||||
|
|
||||||
require_once("../config_editor.inc.php"); // For config_update_variables()
|
require_once("../config_editor.inc.php"); // For config_update_variables()
|
||||||
|
|
||||||
@ -90,13 +95,12 @@ if($dbcodeversion && $dbdbversion)
|
|||||||
}
|
}
|
||||||
if($db_update_skip_variables != true) {
|
if($db_update_skip_variables != true) {
|
||||||
echo "\nUpdating Configuration Variables...\n";
|
echo "\nUpdating Configuration Variables...\n";
|
||||||
config_update_variables($fairyear);
|
config_update_variables($config['FAIRYEAR']);
|
||||||
}
|
}
|
||||||
|
|
||||||
echo "\nAll done - updating new DB version to $dbcodeversion\n";
|
echo "\nAll done - updating new DB version to $dbcodeversion\n";
|
||||||
mysql_query("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'");
|
mysql_query("UPDATE config SET val='$dbcodeversion' WHERE var='DBVERSION' AND year='0'");
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -336,7 +336,7 @@ function user_add_role_allowed($type, $u)
|
|||||||
function user_create($type, $u = NULL)
|
function user_create($type, $u = NULL)
|
||||||
{
|
{
|
||||||
if(!is_array($u)) {
|
if(!is_array($u)) {
|
||||||
mysql_query("INSERT INTO users (`types`,`passwordexpiry`,`created`)
|
mysql_query("INSERT INTO users (`types`,`passwordset`,`created`)
|
||||||
VALUES ('$type', '0000-00-00', NOW())");
|
VALUES ('$type', '0000-00-00', NOW())");
|
||||||
$uid = mysql_insert_id();
|
$uid = mysql_insert_id();
|
||||||
} else {
|
} else {
|
||||||
|
@ -143,17 +143,40 @@
|
|||||||
$_SESSION['users_id']=$u['id'];
|
$_SESSION['users_id']=$u['id'];
|
||||||
$_SESSION['users_type']=$type;
|
$_SESSION['users_type']=$type;
|
||||||
|
|
||||||
/* Check for an expired password */
|
/* Load the password expiry for each user type, and
|
||||||
if($u['passwordexpiry'] == NULL) {
|
* find the longest expiry, which is the one we'll use
|
||||||
|
* for this user to determine if the passwd has
|
||||||
|
* expired. */
|
||||||
|
$longest_expiry = 0;
|
||||||
|
foreach($u['types'] as $t) {
|
||||||
|
$e = $config["{$t}_password_expiry_days"];
|
||||||
|
if($e == 0) {
|
||||||
|
/* Catch a never expire case. */
|
||||||
|
$longest_expiry = 0;
|
||||||
|
break;
|
||||||
|
} else if($e > $longest_expiry) {
|
||||||
|
$longest_expiry = $e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if($u['passwordset'] == '0000-00-00') {
|
||||||
|
/* Force the password to expire */
|
||||||
|
$_SESSION['password_expired'] = true;
|
||||||
|
} else if($longest_expiry == 0) {
|
||||||
|
/* Never expires */
|
||||||
unset($_SESSION['password_expired']);
|
unset($_SESSION['password_expired']);
|
||||||
} else {
|
} else {
|
||||||
$now = date('Y-m-d H:i:s');
|
/* Check expiry */
|
||||||
if($now > $u['passwordexpiry']) {
|
$expires = date('Y-m-d', strtotime("{$u['passwordset']} +$longest_expiry days"));
|
||||||
|
$now = date('Y-m-d');
|
||||||
|
if($now > $expires) {
|
||||||
$_SESSION['password_expired'] = true;
|
$_SESSION['password_expired'] = true;
|
||||||
/* The main page (or any other user page) will catch this now and
|
} else {
|
||||||
* require them to set a password */
|
unset($_SESSION['password_expired']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
/* If password_expired == true, the main page (or any
|
||||||
|
* other user page) will catch this and require
|
||||||
|
* them to set a password */
|
||||||
|
|
||||||
/* Call login functions for each type, so multirole
|
/* Call login functions for each type, so multirole
|
||||||
* users can easily switch */
|
* users can easily switch */
|
||||||
@ -272,16 +295,14 @@
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$password = '';
|
$password = generatePassword(12);
|
||||||
$pchars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
|
||||||
for($x=0;$x<12;$x++) $password .= $pchars{rand(0,61)};
|
|
||||||
|
|
||||||
/* Save their old password so it can be recovered if someone is just trying
|
/* Save their old password so it can be recovered if someone is just trying
|
||||||
* to reset someones password */
|
* to reset someones password */
|
||||||
mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");
|
mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");
|
||||||
|
|
||||||
/* Set the new password, and force it to expire */
|
/* Set the new password, and force it to expire */
|
||||||
mysql_query("UPDATE users SET password='$password',passwordexpiry='0000-00-00' WHERE id={$r->id}");
|
mysql_query("UPDATE users SET password='$password',passwordset='0000-00-00' WHERE id={$r->id}");
|
||||||
|
|
||||||
/* volunteer_recover_password, judge_recover_password, student_recover_password,
|
/* volunteer_recover_password, judge_recover_password, student_recover_password,
|
||||||
committee_recover_password */
|
committee_recover_password */
|
||||||
|
@ -55,25 +55,22 @@
|
|||||||
|
|
||||||
if($_POST['action']=="save")
|
if($_POST['action']=="save")
|
||||||
{
|
{
|
||||||
|
$pass = mysql_escape_string($_POST['pass1']);
|
||||||
//first, lets see if they choosed the same password again (bad bad bad)
|
//first, lets see if they choosed the same password again (bad bad bad)
|
||||||
$q=mysql_query("SELECT password FROM users WHERE id='".$_SESSION['users_id']."' AND password='".$_POST['pass1']."'");
|
$q=mysql_query("SELECT password FROM users WHERE
|
||||||
|
id='{$_SESSION['users_id']}'
|
||||||
|
AND password='$pass'");
|
||||||
|
|
||||||
if(mysql_num_rows($q)) $notice = 'same';
|
if(mysql_num_rows($q)) $notice = 'same';
|
||||||
else if(!$_POST['pass1']) $notice = 'passwordrequired';
|
else if(!$_POST['pass1']) $notice = 'passwordrequired';
|
||||||
else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch';
|
else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch';
|
||||||
else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars';
|
else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars';
|
||||||
else
|
else {
|
||||||
{
|
mysql_query("UPDATE users SET
|
||||||
if($password_expiry_days > 0)
|
password='$pass',
|
||||||
$ex="passwordexpiry=DATE_ADD(CURDATE(),INTERVAL $password_expiry_days DAY)";
|
passwordset=NOW()
|
||||||
else
|
WHERE id='{$_SESSION['users_id']}'");
|
||||||
$ex="passwordexpiry=NULL";
|
|
||||||
|
|
||||||
mysql_query("UPDATE users SET password='".$_POST['pass1']."', $ex WHERE id='".$_SESSION['users_id']."' AND email='".$_SESSION['email']."'");
|
|
||||||
if($_SESSION['password_expired'])
|
|
||||||
{
|
|
||||||
unset($_SESSION['password_expired']);
|
unset($_SESSION['password_expired']);
|
||||||
}
|
|
||||||
|
|
||||||
header("location: $back_link?notice=password_changed");
|
header("location: $back_link?notice=password_changed");
|
||||||
exit;
|
exit;
|
||||||
|
Loading…
Reference in New Issue
Block a user