X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Flib%2FRT%2FUser_Overlay.pm;h=2115c3299b26a246c652b61e4eb16f478ac5ee94;hb=b102662c11390d9220ef7a935ce847f18ba221fb;hp=ddbe543639c599ae6ef2199d22fede9eb4ca57cd;hpb=5c96d46d56f2066bb40d9a34c4db56f53f43c6f2;p=freeside.git diff --git a/rt/lib/RT/User_Overlay.pm b/rt/lib/RT/User_Overlay.pm index ddbe54363..2115c3299 100644 --- a/rt/lib/RT/User_Overlay.pm +++ b/rt/lib/RT/User_Overlay.pm @@ -916,6 +916,42 @@ sub _GenerateRandomNextChar { return ($i); } +sub SafeSetPassword { + my $self = shift; + my %args = ( + Current => undef, + New => undef, + Confirmation => undef, + @_, + ); + return (1) unless defined $args{'New'} && length $args{'New'}; + + my %cond = $self->CurrentUserRequireToSetPassword; + + unless ( $cond{'CanSet'} ) { + return (0, $self->loc('You can not set password.') .' '. $cond{'Reason'} ); + } + + my $error = ''; + if ( $cond{'RequireCurrent'} && !$self->CurrentUser->IsPassword($args{'Current'}) ) { + if ( defined $args{'Current'} && length $args{'Current'} ) { + $error = $self->loc("Please enter your current password correctly."); + } + else { + $error = $self->loc("Please enter your current password."); + } + } elsif ( $args{'New'} ne $args{'Confirmation'} ) { + $error = $self->loc("Passwords do not match."); + } + + if ( $error ) { + $error .= ' '. $self->loc('Password has not been set.'); + return (0, $error); + } + + return $self->SetPassword( $args{'New'} ); +} + =head3 SetPassword Takes a string. Checks the string's length and sets this user's password @@ -1034,7 +1070,7 @@ sub IsPassword { } # if it's a historical password we say ok. - if ($self->__Value('Password') eq crypt($value, $self->__Value('Password')) + if ($self->__Value('Password') eq crypt(encode_utf8($value), $self->__Value('Password')) or $self->_GeneratePasswordBase64($value) eq $self->__Value('Password')) { # ...but upgrade the legacy password inplace. @@ -1047,6 +1083,35 @@ sub IsPassword { return (undef); } +sub CurrentUserRequireToSetPassword { + my $self = shift; + + my %res = ( + CanSet => 1, + Reason => '', + RequireCurrent => 1, + ); + + if ( RT->Config->Get('WebExternalAuth') + && !RT->Config->Get('WebFallbackToInternalAuth') + ) { + $res{'CanSet'} = 0; + $res{'Reason'} = $self->loc("External authentication enabled."); + } + elsif ( !$self->CurrentUser->HasPassword ) { + if ( $self->CurrentUser->id == ($self->id||0) ) { + # don't require current password if user has no + $res{'RequireCurrent'} = 0; + } + else { + $res{'CanSet'} = 0; + $res{'Reason'} = $self->loc("Your password is not set."); + } + } + + return %res; +} + =head3 AuthToken Returns an authentication string associated with the user. This @@ -1270,7 +1335,7 @@ sub OwnGroups { # {{{ Links -#much false laziness w/Ticket_Overlay.pm +#much false laziness w/Ticket_Overlay.pm. now with RT 3.8! # A helper table for links mapping to make it easier # to build and parse links between tickets @@ -1347,7 +1412,7 @@ sub DeleteLink { #check acls my $right = 0; - $right++ if $self->CurrentUserHasRight('ModifyUser'); + $right++ if $self->CurrentUserHasRight('AdminUsers'); if ( !$right && $RT::StrictLinkACL ) { return ( 0, $self->loc("Permission Denied") ); } @@ -1426,7 +1491,7 @@ sub AddLink { } my $right = 0; - $right++ if $self->CurrentUserHasRight('ModifyUser'); + $right++ if $self->CurrentUserHasRight('AdminUsers'); if ( !$right && $RT::StrictLinkACL ) { return ( 0, $self->loc("Permission Denied") ); } @@ -1528,251 +1593,6 @@ sub _AddLink { # }}} - -# {{{ sub Rights testing - -=head1 Rights testing - - -=begin testing - -my $root = RT::User->new($RT::SystemUser); -$root->Load('root'); -ok($root->Id, "Found the root user"); -my $rootq = RT::Queue->new($root); -$rootq->Load(1); -ok($rootq->Id, "Loaded the first queue"); - -ok ($rootq->CurrentUser->HasRight(Right=> 'CreateTicket', Object => $rootq), "Root can create tickets"); - -my $new_user = RT::User->new($RT::SystemUser); -my ($id, $msg) = $new_user->Create(Name => 'ACLTest'.$$); - -ok ($id, "Created a new user for acl test $msg"); - -my $q = RT::Queue->new($new_user); -$q->Load(1); -ok($q->Id, "Loaded the first queue"); - - -ok (!$q->CurrentUser->HasRight(Right => 'CreateTicket', Object => $q), "Some random user doesn't have the right to create tickets"); -ok (my ($gval, $gmsg) = $new_user->PrincipalObj->GrantRight( Right => 'CreateTicket', Object => $q), "Granted the random user the right to create tickets"); -ok ($gval, "Grant succeeded - $gmsg"); - - -ok ($q->CurrentUser->HasRight(Right => 'CreateTicket', Object => $q), "The user can create tickets after we grant him the right"); -ok (my ($gval, $gmsg) = $new_user->PrincipalObj->RevokeRight( Right => 'CreateTicket', Object => $q), "revoked the random user the right to create tickets"); -ok ($gval, "Revocation succeeded - $gmsg"); -ok (!$q->CurrentUser->HasRight(Right => 'CreateTicket', Object => $q), "The user can't create tickets anymore"); - - - - - -# Create a ticket in the queue -my $new_tick = RT::Ticket->new($RT::SystemUser); -my ($tickid, $tickmsg) = $new_tick->Create(Subject=> 'ACL Test', Queue => 'General'); -ok($tickid, "Created ticket: $tickid"); -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); -# Create a new group -my $group = RT::Group->new($RT::SystemUser); -$group->CreateUserDefinedGroup(Name => 'ACLTest'.$$); -ok($group->Id, "Created a new group Ok"); -# Grant a group the right to modify tickets in a queue -ok(my ($gv,$gm) = $group->PrincipalObj->GrantRight( Object => $q, Right => 'ModifyTicket'),"Granted the group the right to modify tickets"); -ok($gv,"Grant succeeed - $gm"); -# Add the user to the group -ok( my ($aid, $amsg) = $group->AddMember($new_user->PrincipalId), "Added the member to the group"); -ok ($aid, "Member added to group: $amsg"); -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick, Right => 'ModifyTicket'), "User can modify the ticket with group membership"); - - -# Remove the user from the group -ok( my ($did, $dmsg) = $group->DeleteMember($new_user->PrincipalId), "Deleted the member from the group"); -ok ($did,"Deleted the group member: $dmsg"); -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); - - -my $q_as_system = RT::Queue->new($RT::SystemUser); -$q_as_system->Load(1); -ok($q_as_system->Id, "Loaded the first queue"); - -# Create a ticket in the queue -my $new_tick2 = RT::Ticket->new($RT::SystemUser); -my ($tick2id, $tickmsg) = $new_tick2->Create(Subject=> 'ACL Test 2', Queue =>$q_as_system->Id); -ok($tick2id, "Created ticket: $tick2id"); -is($new_tick2->QueueObj->id, $q_as_system->Id, "Created a new ticket in queue 1"); - - -# make sure that the user can't do this without subgroup membership -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); - -# Create a subgroup -my $subgroup = RT::Group->new($RT::SystemUser); -$subgroup->CreateUserDefinedGroup(Name => 'Subgrouptest',$$); -ok($subgroup->Id, "Created a new group ".$subgroup->Id."Ok"); -#Add the subgroup as a subgroup of the group -my ($said, $samsg) = $group->AddMember($subgroup->PrincipalId); -ok ($said, "Added the subgroup as a member of the group"); -# Add the user to a subgroup of the group - -my ($usaid, $usamsg) = $subgroup->AddMember($new_user->PrincipalId); -ok($usaid,"Added the user ".$new_user->Id."to the subgroup"); -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket with subgroup membership"); - -# {{{ Deal with making sure that members of subgroups of a disabled group don't have rights - -my ($id, $msg); -($id, $msg) = $group->SetDisabled(1); -ok ($id,$msg); -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket when the group ".$group->Id. " is disabled"); - ($id, $msg) = $group->SetDisabled(0); -ok($id,$msg); -# Test what happens when we disable the group the user is a member of directly - -($id, $msg) = $subgroup->SetDisabled(1); - ok ($id,$msg); -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket when the group ".$subgroup->Id. " is disabled"); - ($id, $msg) = $subgroup->SetDisabled(0); - ok ($id,$msg); -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket without group membership"); - -# }}} - - -my ($usrid, $usrmsg) = $subgroup->DeleteMember($new_user->PrincipalId); -ok($usrid,"removed the user from the group - $usrmsg"); -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); - -#revoke the right to modify tickets in a queue -ok(($gv,$gm) = $group->PrincipalObj->RevokeRight( Object => $q, Right => 'ModifyTicket'),"Granted the group the right to modify tickets"); -ok($gv,"revoke succeeed - $gm"); - -# {{{ Test the user's right to modify a ticket as a _queue_ admincc for a right granted at the _queue_ level - -# Grant queue admin cc the right to modify ticket in the queue -ok(my ($qv,$qm) = $q_as_system->AdminCc->PrincipalObj->GrantRight( Object => $q_as_system, Right => 'ModifyTicket'),"Granted the queue adminccs the right to modify tickets"); -ok($qv, "Granted the right successfully - $qm"); - -# Add the user as a queue admincc -ok ((my $add_id, $add_msg) = $q_as_system->AddWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Added the new user as a queue admincc"); -ok ($add_id, "the user is now a queue admincc - $add_msg"); - -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket as an admincc"); -# Remove the user from the role group -ok ((my $del_id, $del_msg) = $q_as_system->DeleteWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Deleted the new user as a queue admincc"); - -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); - -# }}} - -# {{{ Test the user's right to modify a ticket as a _ticket_ admincc with the right granted at the _queue_ level - -# Add the user as a ticket admincc -ok ((my $uadd_id, $uadd_msg) = $new_tick2->AddWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Added the new user as a queue admincc"); -ok ($add_id, "the user is now a queue admincc - $add_msg"); - -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket as an admincc"); - -# Remove the user from the role group -ok ((my $del_id, $del_msg) = $new_tick2->DeleteWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Deleted the new user as a queue admincc"); - -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); - - -# Revoke the right to modify ticket in the queue -ok(my ($rqv,$rqm) = $q_as_system->AdminCc->PrincipalObj->RevokeRight( Object => $q_as_system, Right => 'ModifyTicket'),"Revokeed the queue adminccs the right to modify tickets"); -ok($rqv, "Revoked the right successfully - $rqm"); - -# }}} - - - -# {{{ Test the user's right to modify a ticket as a _queue_ admincc for a right granted at the _system_ level - -# Before we start Make sure the user does not have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can not modify the ticket without it being granted"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can not modify tickets in the queue without it being granted"); - -# Grant queue admin cc the right to modify ticket in the queue -ok(my ($qv,$qm) = $q_as_system->AdminCc->PrincipalObj->GrantRight( Object => $RT::System, Right => 'ModifyTicket'),"Granted the queue adminccs the right to modify tickets"); -ok($qv, "Granted the right successfully - $qm"); - -# Make sure the user can't modify the ticket before they're added as a watcher -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can not modify the ticket without being an admincc"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can not modify tickets in the queue without being an admincc"); - -# Add the user as a queue admincc -ok ((my $add_id, $add_msg) = $q_as_system->AddWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Added the new user as a queue admincc"); -ok ($add_id, "the user is now a queue admincc - $add_msg"); - -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket as an admincc"); -ok ($new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can modify tickets in the queue as an admincc"); -# Remove the user from the role group -ok ((my $del_id, $del_msg) = $q_as_system->DeleteWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Deleted the new user as a queue admincc"); - -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without group membership"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can't modify tickets in the queue without group membership"); - -# }}} - -# {{{ Test the user's right to modify a ticket as a _ticket_ admincc with the right granted at the _queue_ level - -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can not modify the ticket without being an admincc"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can not modify tickets in the queue obj without being an admincc"); - - -# Add the user as a ticket admincc -ok ((my $uadd_id, $uadd_msg) = $new_tick2->AddWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Added the new user as a queue admincc"); -ok ($add_id, "the user is now a queue admincc - $add_msg"); - -# Make sure the user does have the right to modify tickets in the queue -ok ($new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can modify the ticket as an admincc"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can not modify tickets in the queue obj being only a ticket admincc"); - -# Remove the user from the role group -ok ((my $del_id, $del_msg) = $new_tick2->DeleteWatcher(Type => 'AdminCc', PrincipalId => $new_user->PrincipalId) , "Deleted the new user as a queue admincc"); - -# Make sure the user doesn't have the right to modify tickets in the queue -ok (!$new_user->HasRight( Object => $new_tick2, Right => 'ModifyTicket'), "User can't modify the ticket without being an admincc"); -ok (!$new_user->HasRight( Object => $new_tick2->QueueObj, Right => 'ModifyTicket'), "User can not modify tickets in the queue obj without being an admincc"); - - -# Revoke the right to modify ticket in the queue -ok(my ($rqv,$rqm) = $q_as_system->AdminCc->PrincipalObj->RevokeRight( Object => $RT::System, Right => 'ModifyTicket'),"Revokeed the queue adminccs the right to modify tickets"); -ok($rqv, "Revoked the right successfully - $rqm"); - -# }}} - - - - -# Grant "privileged users" the system right to create users -# Create a privileged user. -# have that user create another user -# Revoke the right for privileged users to create users -# have the privileged user try to create another user and fail the ACL check - -=end testing - -=cut - -# }}} - - -# {{{ sub HasRight - =head2 HasRight Shim around PrincipalObj->HasRight. See L.