From 9d0796956b83a47a3258e1d388289f6b59f7444d Mon Sep 17 00:00:00 2001
From: Mark Wells <mark@freeside.biz>
Date: Mon, 8 Feb 2016 16:09:28 -0800
Subject: [PATCH] make password-insecure option work when adding a new
 svc_acct, #40236

---
 FS/FS/Password_Mixin.pm                        | 10 ++++++++++
 httemplate/edit/svc_acct.cgi                   |  7 ++++---
 httemplate/elements/validate_password.html     | 10 +++++++---
 httemplate/misc/xmlhttp-validate_password.html | 25 +++++++++++++++----------
 4 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/FS/FS/Password_Mixin.pm b/FS/FS/Password_Mixin.pm
index 3fb787c47..47290b5fa 100644
--- a/FS/FS/Password_Mixin.pm
+++ b/FS/FS/Password_Mixin.pm
@@ -43,6 +43,16 @@ sub is_password_allowed {
   my $self = shift;
   my $password = shift;
 
+  my $cust_main = $self->cust_main;
+
+  # workaround for non-inserted services
+  if ( !$cust_main and $self->get('pkgnum') ) {
+    my $cust_pkg = FS::cust_pkg->by_key($self->get('pkgnum'));
+    $cust_main = $cust_pkg->cust_main if $cust_pkg;
+  }
+  warn "is_password_allowed: no customer could be identified" if !$cust_main;
+  return '' if $cust_main && $conf->config_bool('password-insecure', $cust_main->agentnum);
+
   # basic checks using Data::Password;
   # options for Data::Password
   $DICTIONARY = 4;   # minimum length of disallowed words
diff --git a/httemplate/edit/svc_acct.cgi b/httemplate/edit/svc_acct.cgi
index ca26c6cf0..33231adeb 100755
--- a/httemplate/edit/svc_acct.cgi
+++ b/httemplate/edit/svc_acct.cgi
@@ -52,9 +52,10 @@
     <INPUT TYPE="text" ID="clear_password" NAME="clear_password" VALUE="<% $password %>" SIZE=<% $pmax2 %> MAXLENGTH=<% $pmax %>>
     <& /elements/random_pass.html, 'clear_password' &><BR>
     <DIV ID="clear_password_result" STYLE="font-size: smaller"></DIV>
-    <& '/elements/validate_password.html', 
-         'fieldid' => 'clear_password',
-         'svcnum' => $svcnum 
+    <& /elements/validate_password.html, 
+        'fieldid' => 'clear_password',
+        'svcnum' => $svcnum ,
+        'pkgnum' => $pkgnum,
     &>
   </TD>
 </TR>
diff --git a/httemplate/elements/validate_password.html b/httemplate/elements/validate_password.html
index a488c4f16..f067ad8fc 100644
--- a/httemplate/elements/validate_password.html
+++ b/httemplate/elements/validate_password.html
@@ -5,8 +5,9 @@ To validate passwords via javascript/xmlhttp:
   <INPUT ID="password_field" TYPE="text">
   <DIV ID="password_field_result">
   <& '/elements/validate_password.html', 
-     fieldid  => 'password_field',
-     svcnum   => $svcnum
+      fieldid  => 'password_field',
+      svcnum   => $svcnum,
+      pkgnum   => $pkgnum, # used if the service doesn't exist yet
   &>
 
 The ID of the input field can be anything;  the ID of the DIV in which to display results
@@ -27,7 +28,10 @@ function add_password_validation (fieldid) {
     var resultfield = document.getElementById(fieldid);
     if (this.value) {
       resultfield.innerHTML = '<SPAN STYLE="color: blue;">Validating password...</SPAN>';
-      validate_password('fieldid',fieldid,'svcnum','<% $opt{'svcnum'} %>','password',this.value,
+      validate_password('fieldid',fieldid,
+                        'svcnum',<% $opt{'svcnum'} |js_string %>,
+                        'pkgnum',<% $opt{'pkgnum'} |js_string %>,
+                        'password',this.value,
         function (result) {
           result = JSON.parse(result);
           var resultfield = document.getElementById(result.fieldid);
diff --git a/httemplate/misc/xmlhttp-validate_password.html b/httemplate/misc/xmlhttp-validate_password.html
index 28dbf6460..1efb4aaa3 100644
--- a/httemplate/misc/xmlhttp-validate_password.html
+++ b/httemplate/misc/xmlhttp-validate_password.html
@@ -1,13 +1,14 @@
 <%doc>
-Requires cgi params 'password' (plaintext) and 'sub' ('validate_password' is only 
-acceptable value.)  Also accepts 'svcnum' (for svc_acct, will otherwise create an
-empty dummy svc_acct) and 'fieldid' (for html post-processing, passed along in 
-results for convenience.)
-
-Returns a json-encoded hashref with keys of 'valid' (set to 1 if object is valid),
-'error' (error text if password is invalid) or 'syserror' (error text if password
-could not be validated.)  Only one of these keys will be set.  Will also set
-'fieldid' if it was passed.
+Requires cgi params 'password' (plaintext) and 'sub' ('validate_password' is
+only acceptable value.)  Also accepts 'svcnum' (for svc_acct, will otherwise
+create an empty dummy svc_acct), 'pkgnum' (for when the svc_acct isn't yet
+inserted), and 'fieldid' (for html post-processing, passed along in results
+for convenience.)
+
+Returns a json-encoded hashref with keys of 'valid' (set to 1 if object is
+valid), 'error' (error text if password is invalid) or 'syserror' (error text
+if password could not be validated.)  Only one of these keys will be set.
+Will also set 'fieldid' if it was passed.
 </%doc>
 
 <% encode_json($result) %>
@@ -32,9 +33,13 @@ my $validate_password = sub {
   $result{'syserror'} = 'Invalid svcnum' unless $svcnum =~ /^\d*$/;
   return \%result if $result{'syserror'};
 
+  my $pkgnum = $arg{'pkgnum'};
+  $result{'syserror'} = 'Invalid pkgnum' unless $pkgnum =~ /^\d*$/;
+  return \%result if $result{'syserror'};
+
   my $svc_acct = $svcnum 
     ? qsearchs('svc_acct',{'svcnum' => $svcnum})
-    : (new FS::svc_acct {});
+    : FS::svc_acct->new({ 'pkgnum' => $pkgnum });
   $result{'syserror'} = 'Could not find service' unless $svc_acct;
   return \%result if $result{'syserror'};
 
-- 
2.11.0