- Added support in MySQL auth to prohibit users from modifying their password.

git-svn-id: http://www.observium.org/svn/observer/trunk@2252 61d68cd4-352d-0410-923a-c4978735b2b8
2024-10-07 16:52:45 +00:00 · 2011-05-05 14:54:12 +00:00
parent 209313da20
commit 9202ff9bee
4 changed files with 27 additions and 10 deletions
--- a/database-update.sql
+++ b/database-update.sql
@@ -0,0 +1 @@
+ALTER TABLE users ADD can_modify_passwd TINYINT NOT NULL DEFAULT 1;
--- a/html/includes/authentication/mysql.inc.php
+++ b/html/includes/authentication/mysql.inc.php
@@ -27,9 +27,20 @@ function authenticate($username,$password)
  return 0;
 }

-function passwordscanchange()
+function passwordscanchange($username="")
 {
+  
+  
+  /*
+   * By default allow the password to be modified, unless the existing
+   * user is explicitly prohibited to do so.
+   */
+  
+  if (empty($username) || !user_exists($username)) {
    return 1;
+  } else {
+    return @mysql_result(mysql_query("SELECT can_modify_passwd FROM users WHERE username = '".mres($username)."'"),0);
+  }
 }

 /**
@@ -65,12 +76,12 @@ function auth_usermanagement()
  return 1;
 }

-function adduser($username, $password, $level, $email = "", $realname = "")
+function adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd='1')
 {
  if (!user_exists($username))
  {
    $encrypted = crypt($password,'$1$' . generateSalt(8).'$');
-    mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`) VALUES ('".mres($username)."','".mres($encrypted)."','".mres($level)."','".mres($email)."','".mres($realname)."')");
+    mysql_query("INSERT INTO `users` (`username`,`password`,`level`, `email`, `realname`, `can_modify_passwd`) VALUES ('".mres($username)."','".mres($encrypted)."','".mres($level)."','".mres($email)."','".mres($realname)."','".mres($can_modify_passwd)."')");
  }

  return mysql_affected_rows();
--- a/html/pages/adduser.inc.php
+++ b/html/pages/adduser.inc.php
@@ -18,8 +18,15 @@ else
      {
        if (!user_exists($_POST['new_username']))
        {
+          
+          if (isset($_POST['can_modify_passwd'])) {
+            $_POST['can_modify_passwd'] = 1;
+          } else {
+            $_POST['can_modify_passwd'] = 0;
+          }
+          
          # FIXME: missing email field here on the form
-          if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], '', $_POST['realname']))
+          if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], '', $_POST['realname'], $_POST['can_modify_passwd']))
          {
            echo("<span class=info>User " . $_POST['username'] . " added!</span>");
          }
@@ -45,14 +52,12 @@ else
      echo("<span class=red>Please enter a password!</span><br />");
    }
    echo("Realname <input style='margin: 1px;' name='new_realname'></input><br />");
-  ?>
-  <?php
    echo("Level <select style='margin: 5px;' name='new_level'>
          <option value='1'>Normal User</option>
          <option value='5'>Global Read</option>
          <option value='10'>Administrator</option>
-        </select><br /><br />");
-
+        </select><br />");
+    echo("<input type='checkbox' checked='checked' style='margin: 1px;' name='can_modify_passwd'></input> Allow the user to change his password.<br /><br />");
    echo(" <input type='submit' Value='Add' >");
    echo("</form>");
  }
--- a/html/pages/preferences.inc.php
+++ b/html/pages/preferences.inc.php
@@ -32,7 +32,7 @@ echo("</div>");
 echo("<div style='width: 300px; float: right;'>");
 echo("<div style='background-color: #e5e5e5; border: solid #e5e5e5 10px; margin-bottom:10px;'>");

-if (passwordscanchange())
+if (passwordscanchange($_SESSION['username']))
 {
  echo("<div style='font-size: 18px; font-weight: bold; margin-bottom: 5px;'>Change Password</div>");
  echo($changepass_message);
				`@@ -0,0 +1 @@`
				`ALTER TABLE users ADD can_modify_passwd TINYINT NOT NULL DEFAULT 1;`