From 51f7060aa8464f51f78403f87b3556a7ffaa1995 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 10 May 2015 10:26:55 +0000
Subject: Add the ability to expire passwords after a configurable number of
 days (#19458).

Patch by Holger Just and Go MAEDA.

git-svn-id: http://svn.redmine.org/redmine/trunk@14264 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb   |  1 +
 app/models/user.rb                          | 13 ++++++++++++-
 app/views/my/password.html.erb              |  2 +-
 app/views/settings/_authentication.html.erb |  4 ++++
 4 files changed, 18 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b6e2eb120..e1bc6a97f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -204,6 +204,7 @@ class ApplicationController < ActionController::Base
   def check_password_change
     if session[:pwd]
       if User.current.must_change_password?
+        flash[:error] = l(:error_password_expired)
         redirect_to my_password_path
       else
         session.delete(:pwd)
diff --git a/app/models/user.rb b/app/models/user.rb
index 8811a65fd..5978f06de 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -323,8 +323,19 @@ class User < Principal
     return auth_source.allow_password_changes?
   end
 
+  def password_expired?
+    changed_on = self.passwd_changed_on || Time.at(0)
+    period = Setting.password_max_age.to_i
+
+    if period.zero?
+      false
+    else
+      changed_on < period.days.ago
+    end
+  end
+
   def must_change_password?
-    must_change_passwd? && change_password_allowed?
+    (must_change_passwd? || password_expired?) && change_password_allowed?
   end
 
   def generate_password?
diff --git a/app/views/my/password.html.erb b/app/views/my/password.html.erb
index c3f86b99f..6ba2bfc40 100644
--- a/app/views/my/password.html.erb
+++ b/app/views/my/password.html.erb
@@ -17,7 +17,7 @@
 <%= submit_tag l(:button_apply) %>
 <% end %>
 
-<% unless @user.must_change_passwd? %>
+<% unless @user.must_change_passwd? || @user.password_expired? %>
 <% content_for :sidebar do %>
 <%= render :partial => 'sidebar' %>
 <% end %>
diff --git a/app/views/settings/_authentication.html.erb b/app/views/settings/_authentication.html.erb
index 77b5afced..80fb4bd5a 100644
--- a/app/views/settings/_authentication.html.erb
+++ b/app/views/settings/_authentication.html.erb
@@ -14,6 +14,10 @@
 
 <p><%= setting_text_field :password_min_length, :size => 6 %></p>
 
+<p>
+  <%= setting_select :password_max_age, [[l(:label_disabled), 0]] + [7, 30, 60, 90, 180, 365].collect{|days| [l('datetime.distance_in_words.x_days', :count => days), days.to_s]} %>
+</p>
+
 <p><%= setting_check_box :lost_password, :label => :label_password_lost %></p>
 
 <p><%= setting_text_field :max_additional_emails, :size => 6 %></p>
-- 
cgit v1.2.3