Kaynağa Gözat
Implements handling for deactivated users
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>tags/v14.0.0beta1
Michael Weimann
5 yıl önce
2 değiştirilmiş dosya ile 93 ekleme ve 28 silme
+ 84
- 25
core/Controller/LoginController.php
Dosyayı Görüntüle
| @@ -58,6 +58,10 @@ use OC\Hooks\PublicEmitter; | |||
| use OCP\Util; | |||
| class LoginController extends Controller { | |||
| const LOGIN_MSG_INVALIDPASSWORD = 'invalidpassword'; | |||
| const LOGIN_MSG_USERDISABLED = 'userdisabled'; | |||
| /** @var IUserManager */ | |||
| private $userManager; | |||
| /** @var IConfig */ | |||
| @@ -171,19 +175,7 @@ class LoginController extends Controller { | |||
| $parameters['redirect_url'] = $redirect_url; | |||
| } | |||
| $parameters['canResetPassword'] = true; | |||
| $parameters['resetPasswordLink'] = $this->config->getSystemValue('lost_password_link', ''); | |||
| if (!$parameters['resetPasswordLink']) { | |||
| if ($user !== null && $user !== '') { | |||
| $userObj = $this->userManager->get($user); | |||
| if ($userObj instanceof IUser) { | |||
| $parameters['canResetPassword'] = $userObj->canChangePassword(); | |||
| } | |||
| } | |||
| } elseif ($parameters['resetPasswordLink'] === 'disabled') { | |||
| $parameters['canResetPassword'] = false; | |||
| } | |||
| $parameters = $this->setPasswordResetParameters($user, $parameters); | |||
| $parameters['alt_login'] = OC_App::getAlternativeLogIns(); | |||
| if ($user !== null && $user !== '') { | |||
| @@ -209,6 +201,40 @@ class LoginController extends Controller { | |||
| ); | |||
| } | |||
| /** | |||
| * Sets the password reset params. | |||
| * | |||
| * Users may not change their passwords if: | |||
| * - The account is disabled | |||
| * - The backend doesn't support password resets | |||
| * - The password reset function is disabled | |||
| * | |||
| * @param string $user | |||
| * @param array $parameters | |||
| * @return array | |||
| */ | |||
| private function setPasswordResetParameters( | |||
| string $user = null, array $parameters): array { | |||
| if ($user !== null && $user !== '') { | |||
| $userObj = $this->userManager->get($user); | |||
| } else { | |||
| $userObj = null; | |||
| } | |||
| $parameters['resetPasswordLink'] = $this->config | |||
| ->getSystemValue('lost_password_link', ''); | |||
| if (!$parameters['resetPasswordLink'] && $userObj !== null) { | |||
| $parameters['canResetPassword'] = $userObj->canChangePassword(); | |||
| } else if ($userObj !== null && $userObj->isEnabled() === false) { | |||
| $parameters['canResetPassword'] = false; | |||
| } else { | |||
| $parameters['canResetPassword'] = true; | |||
| } | |||
| return $parameters; | |||
| } | |||
| /** | |||
| * @param string $redirectUrl | |||
| * @return RedirectResponse | |||
| @@ -256,6 +282,17 @@ class LoginController extends Controller { | |||
| } | |||
| $originalUser = $user; | |||
| $userObj = $this->userManager->get($user); | |||
| if ($userObj !== null && $userObj->isEnabled() === false) { | |||
| $this->logger->warning('Login failed: \''. $user . '\' disabled' . | |||
| ' (Remote IP: \''. $this->request->getRemoteAddress(). '\')', | |||
| ['app' => 'core']); | |||
| return $this->createLoginFailedResponse($user, $originalUser, | |||
| $redirect_url, self::LOGIN_MSG_USERDISABLED); | |||
| } | |||
| // TODO: Add all the insane error handling | |||
| /* @var $loginResult IUser */ | |||
| $loginResult = $this->userManager->checkPasswordNoLogging($user, $password); | |||
| @@ -270,20 +307,15 @@ class LoginController extends Controller { | |||
| } | |||
| } | |||
| } | |||
| if ($loginResult === false) { | |||
| $this->logger->warning('Login failed: \''. $user .'\' (Remote IP: \''. $this->request->getRemoteAddress(). '\')', ['app' => 'core']); | |||
| // Read current user and append if possible - we need to return the unmodified user otherwise we will leak the login name | |||
| $args = !is_null($user) ? ['user' => $originalUser] : []; | |||
| if (!is_null($redirect_url)) { | |||
| $args['redirect_url'] = $redirect_url; | |||
| } | |||
| $response = new RedirectResponse($this->urlGenerator->linkToRoute('core.login.showLoginForm', $args)); | |||
| $response->throttle(['user' => $user]); | |||
| $this->session->set('loginMessages', [ | |||
| ['invalidpassword'], [] | |||
| ]); | |||
| return $response; | |||
| $this->logger->warning('Login failed: \''. $user . | |||
| '\' (Remote IP: \''. $this->request->getRemoteAddress(). '\')', | |||
| ['app' => 'core']); | |||
| return $this->createLoginFailedResponse($user, $originalUser, | |||
| $redirect_url, self::LOGIN_MSG_INVALIDPASSWORD); | |||
| } | |||
| // TODO: remove password checks from above and let the user session handle failures | |||
| // requires https://github.com/owncloud/core/pull/24616 | |||
| $this->userSession->completeLogin($loginResult, ['loginName' => $user, 'password' => $password]); | |||
| @@ -330,6 +362,33 @@ class LoginController extends Controller { | |||
| return $this->generateRedirect($redirect_url); | |||
| } | |||
| /** | |||
| * Creates a login failed response. | |||
| * | |||
| * @param string $user | |||
| * @param string $originalUser | |||
| * @param string $redirect_url | |||
| * @param string $loginMessage | |||
| * @return RedirectResponse | |||
| */ | |||
| private function createLoginFailedResponse( | |||
| $user, $originalUser, $redirect_url, string $loginMessage) { | |||
| // Read current user and append if possible we need to | |||
| // return the unmodified user otherwise we will leak the login name | |||
| $args = !is_null($user) ? ['user' => $originalUser] : []; | |||
| if (!is_null($redirect_url)) { | |||
| $args['redirect_url'] = $redirect_url; | |||
| } | |||
| $response = new RedirectResponse( | |||
| $this->urlGenerator->linkToRoute('core.login.showLoginForm', $args) | |||
| ); | |||
| $response->throttle(['user' => $user]); | |||
| $this->session->set('loginMessages', [ | |||
| [$loginMessage], [] | |||
| ]); | |||
| return $response; | |||
| } | |||
| /** | |||
| * @NoAdminRequired | |||
| * @UseSession | |||
+ 9
- 3
core/templates/login.php
Dosyayı Görüntüle
| @@ -2,6 +2,8 @@ | |||
| <?php | |||
| vendor_script('jsTimezoneDetect/jstz'); | |||
| script('core', 'merged-login'); | |||
| use OC\Core\Controller\LoginController; | |||
| ?> | |||
| <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]--> | |||
| @@ -34,7 +36,7 @@ script('core', 'merged-login'); | |||
| <!-- the following div ensures that the spinner is always inside the #message div --> | |||
| <div style="clear: both;"></div> | |||
| </div> | |||
| <p class="grouptop<?php if (!empty($_['invalidpassword'])) { ?> shake<?php } ?>"> | |||
| <p class="grouptop<?php if (!empty($_[LoginController::LOGIN_MSG_INVALIDPASSWORD])) { ?> shake<?php } ?>"> | |||
| <input type="text" name="user" id="user" | |||
| placeholder="<?php p($l->t('Username or email')); ?>" | |||
| aria-label="<?php p($l->t('Username or email')); ?>" | |||
| @@ -44,7 +46,7 @@ script('core', 'merged-login'); | |||
| <label for="user" class="infield"><?php p($l->t('Username or email')); ?></label> | |||
| </p> | |||
| <p class="groupbottom<?php if (!empty($_['invalidpassword'])) { ?> shake<?php } ?>"> | |||
| <p class="groupbottom<?php if (!empty($_[LoginController::LOGIN_MSG_INVALIDPASSWORD])) { ?> shake<?php } ?>"> | |||
| <input type="password" name="password" id="password" value="" | |||
| placeholder="<?php p($l->t('Password')); ?>" | |||
| aria-label="<?php p($l->t('Password')); ?>" | |||
| @@ -58,10 +60,14 @@ script('core', 'merged-login'); | |||
| <div class="submit-icon icon-confirm-white"></div> | |||
| </div> | |||
| <?php if (!empty($_['invalidpassword'])) { ?> | |||
| <?php if (!empty($_[LoginController::LOGIN_MSG_INVALIDPASSWORD])) { ?> | |||
| <p class="warning wrongPasswordMsg"> | |||
| <?php p($l->t('Wrong password.')); ?> | |||
| </p> | |||
| <?php } else if (!empty($_[LoginController::LOGIN_MSG_USERDISABLED])) { ?> | |||
| <p class="warning userDisabledMsg"> | |||
| <?php p(\OC::$server->getL10N('lib')->t('User disabled')); ?> | |||
| </p> | |||
| <?php } ?> | |||
| <?php if ($_['throttle_delay'] > 5000) { ?> | |||
Loading…