diff options
Diffstat (limited to 'classes')
-rw-r--r-- | classes/auth/internal.php | 22 | ||||
-rw-r--r-- | classes/pref/prefs.php | 107 |
2 files changed, 113 insertions, 16 deletions
diff --git a/classes/auth/internal.php b/classes/auth/internal.php index 214d77801..8993116c6 100644 --- a/classes/auth/internal.php +++ b/classes/auth/internal.php @@ -120,7 +120,7 @@ class Auth_Internal extends Auth_Base { return false; } - function change_password($owner_uid, $old_password, $new_password) { + function check_password($owner_uid, $password) { $owner_uid = db_escape_string($owner_uid); $result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE @@ -130,23 +130,29 @@ class Auth_Internal extends Auth_Base { $login = db_fetch_result($result, 0, "login"); if (!$salt) { - $old_password_hash1 = encrypt_password($old_password); - $old_password_hash2 = encrypt_password($old_password, $login); + $password_hash1 = encrypt_password($password); + $password_hash2 = encrypt_password($password, $login); $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR - pwd_hash = '$old_password_hash2')"; + id = '$owner_uid' AND (pwd_hash = '$password_hash1' OR + pwd_hash = '$password_hash2')"; } else { - $old_password_hash = encrypt_password($old_password, $salt, true); + $password_hash = encrypt_password($password, $salt, true); $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND pwd_hash = '$old_password_hash'"; + id = '$owner_uid' AND pwd_hash = '$password_hash'"; } $result = db_query($this->link, $query); - if (db_num_rows($result) == 1) { + return db_num_rows($result) != 0; + } + + function change_password($owner_uid, $old_password, $new_password) { + $owner_uid = db_escape_string($owner_uid); + + if ($this->check_password($owner_uid, $old_password)) { $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $new_password_hash = encrypt_password($new_password, $new_salt, true); diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 3e93ee4d6..e9f420774 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -230,6 +230,10 @@ class Pref_Prefs extends Handler_Protected { } </script>"; + if ($otp_enabled) { + print_notice("Changing your current password will disable OTP."); + } + print "<table width=\"100%\" class=\"prefPrefsList\">"; print "<tr><td width=\"40%\">".__("Old password")."</td>"; @@ -260,7 +264,45 @@ class Pref_Prefs extends Handler_Protected { if ($otp_enabled) { - print "<p>".__("One time passwords are currently enabled. Change your current password and refresh this page to reconfigure.") . "</p>"; + print_notice("One time passwords are currently enabled. Enter your current password below to disable."); + + print "<form dojoType=\"dijit.form.Form\">"; + + print "<script type=\"dojo/method\" event=\"onSubmit\" args=\"evt\"> + evt.preventDefault(); + if (this.validate()) { + notify_progress('Disabling OTP', true); + + new Ajax.Request('backend.php', { + parameters: dojo.objectToQuery(this.getValues()), + onComplete: function(transport) { + notify(''); + if (transport.responseText.indexOf('ERROR: ') == 0) { + notify_error(transport.responseText.replace('ERROR: ', '')); + } else { + window.location.reload(); + } + }}); + this.reset(); + } + </script>"; + + print "<table width=\"100%\" class=\"prefPrefsList\">"; + + print "<tr><td width=\"40%\">".__("Enter your password")."</td>"; + + print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\" + name=\"password\"></td></tr>"; + + print "</table>"; + + print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-prefs\">"; + print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"otpdisable\">"; + + print "<p><button dojoType=\"dijit.form.Button\" type=\"submit\">". + __("Disable OTP")."</button>"; + + print "</form>"; } else { @@ -275,7 +317,7 @@ class Pref_Prefs extends Handler_Protected { print "<form dojoType=\"dijit.form.Form\" id=\"changeOtpForm\">"; print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-prefs\">"; - print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"changeotp\">"; + print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"otpenable\">"; print "<script type=\"dojo/method\" event=\"onSubmit\" args=\"evt\"> evt.preventDefault(); @@ -285,18 +327,37 @@ class Pref_Prefs extends Handler_Protected { new Ajax.Request('backend.php', { parameters: dojo.objectToQuery(this.getValues()), onComplete: function(transport) { - window.location.reload(); + notify(''); + if (transport.responseText.indexOf('ERROR: ') == 0) { + notify_error(transport.responseText.replace('ERROR: ', '')); + } else { + window.location.reload(); + } } }); } </script>"; + print "<table width=\"100%\" class=\"prefPrefsList\">"; + + print "<tr><td width=\"40%\">".__("Enter your password")."</td>"; + + print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\" + name=\"password\"></td></tr>"; + + print "<tr><td colspan=\"2\">"; + print "<input dojoType=\"dijit.form.CheckBox\" required=\"1\" type=\"checkbox\" id=\"enable_otp\" name=\"enable_otp\"/> "; print "<label for=\"enable_otp\">".__("I have scanned the code and would like to enable OTP")."</label>"; + print "</td></tr><tr><td colspan=\"2\">"; + + print "</td></tr>"; + print "</table>"; + print "<p><button dojoType=\"dijit.form.Button\" type=\"submit\">". - __("Save OTP setting")."</button>"; + __("Enable OTP")."</button>"; print "</form>"; @@ -648,13 +709,43 @@ class Pref_Prefs extends Handler_Protected { } } - function changeotp() { - $enable_otp = $_REQUEST["enable_otp"]; + function otpenable() { + $password = db_escape_string($_REQUEST["password"]); + + $module_class = "auth_" . $_SESSION["auth_module"]; + $authenticator = new $module_class($this->link); + $enable_otp = $_REQUEST["enable_otp"] == "on"; + + if ($authenticator->check_password($_SESSION["uid"], $password)) { + + if ($enable_otp) { + db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE + id = " . $_SESSION["uid"]); + + print "OK"; + } + } else { + print "ERROR: ".__("Incorrect password"); + } - if ($enable_otp == "on") { - db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE + } + + function otpdisable() { + $password = db_escape_string($_REQUEST["password"]); + + $module_class = "auth_" . $_SESSION["auth_module"]; + $authenticator = new $module_class($this->link); + + if ($authenticator->check_password($_SESSION["uid"], $password)) { + + db_query($this->link, "UPDATE ttrss_users SET otp_enabled = false WHERE id = " . $_SESSION["uid"]); + + print "OK"; + } else { + print "ERROR: ".__("Incorrect password"); } + } } ?> |