Item14506: Reset and Change are working. Still needs work

- Thorough security review. - Javascript to enhance the change screen - Confirming new passwords, - Sending email crashes for bad addresses. It should just send msg. - Review all messages - Clean up old templates.
foswiki · Oct 11, 2017 · 42c2485 · 42c2485
1 parent e1f2e16
commit 42c2485
Show file tree

Hide file tree

Showing 12 changed files with 626 additions and 56 deletions.
diff --git a/PasswordManagementPlugin/data/System/ChangePassword.txt b/PasswordManagementPlugin/data/System/ChangePassword.txt
@@ -0,0 +1,94 @@
+%META:TOPICINFO{author="ProjectContributor" date="1507692847" format="1.1" version="1"}%
+%META:TOPICPARENT{name="UserToolsCategory"}%
+%ADDTOZONE{"head" text="<style type='text/css'>
+    #changePassword .col1 {float:left; width:30%; margin:0 3% 0 0;}
+    #changePassword .col2 {float:left; width:66%;}
+    #changePassword .col1 .foswikiInputField,
+    #changePassword .col1 .foswikiSelect {width:90%;}
+    #changePassword .required {font-size:80%; color:#aaa;}
+    #changePassword .foswikiHelp {margin:.5em 0;}
+</style>"}%
+
+---+ %IF{"'%SESSION_VARIABLE{"FOSWIKI_PASSWORDRESET"}%' = '1'" else="%MAKETEXT{"Change Password"}% "then="%MAKETEXT{"Reset Password"}%"}%
+%IF{
+  "context passwords_modifyable"
+  then="$percentINCLUDE{\"%TOPIC%\" section=\"changePassword\"}$percent"
+  else="%CHANGEPASSWORDDISABLEDMESSAGE%"
+}%
+
+<!--
+<verbatim class="foswikiHidden">
+%STARTSECTION{"changePassword"}%
+
+%MAKETEXT{"You can use the form on this page to change your password"}%
+
+%IF{"'%SESSION_VARIABLE{"FOSWIKI_TOPICRESTRICTION"}%' = '%WEB%.%TOPIC%'" then="
+<div class='foswikiHelp'>
+%IF{"'%SESSION_VARIABLE{"FOSWIKI_PASSWORDRESET"}%' = '1'" then="
+%MAKETEXT{"You have requested a password reset. Use the below form to create a new password."}%
+%MAKETEXT{"You can cancel the reset request by logging out of Foswiki."}%
+" else="
+%MAKETEXT{"You are required to change your password."}%
+"}%
+%MAKETEXT{"Your session is currently restricted to this topic.
+Once your password has been changed, the restriction will be removed."}%
+</div>
+"}%
+
+<form name="changepasswd" action="%SCRIPTURLPATH{"rest"}%/PasswordManagementPlugin/changePassword" method="post">
+	<div id="changePassword" class="foswikiFormSteps">
+		<div class="foswikiFormStep">
+			<h3>User ID (WikiName or Login name) <span class="required">Required</span></h3>
+			<div class="col1">
+				<p>
+                    <input type="text" name="username" value="%WIKINAME%" size="40" class="foswikiInputField" />
+				</p>
+			</div><!--//col1-->
+			<div class="foswikiClear"></div>
+		</div><!--//foswikiFormStep-->
+%IF{"'%SESSION_VARIABLE{"FOSWIKI_TOPICRESTRICTION"}%' = '%WEB%.%TOPIC%'" else="
+		<div class='foswikiFormStep'>
+            <h3>%MAKETEXT{"Current password:"}%</h3>
+			<div class='col1'>
+				<p>
+                    <input type='password' name='oldpassword' size='40' class='foswikiInputField' />
+				</p>
+			</div><!--//col1-->
+			<div class='foswikiClear'></div>
+		</div><!--//foswikiFormStep-->
+"}%
+		<div class="foswikiFormStep">
+			<div class="col1">
+                <h3>%MAKETEXT{"New password:"}%</h3>
+				<p>
+                    <input type="password" name="password" size="40" class="foswikiInputField" />
+                </p>
+            </div><!--//col1-->
+            <div class='col2'>
+                <h3>%MAKETEXT{"Retype new password:"}%</h3>
+                <p>
+                    <input type="password" name="passwordA" size="40" class="foswikiInputField" />
+				</p>
+			</div><!--//col2-->
+			<div class="foswikiClear"></div>
+		</div><!--//foswikiFormStep-->
+		<div class="foswikiFormStep">
+			<input type="submit" class="foswikiSubmit" value="%MAKETEXT{"Change Password"}%" />
+		</div><!--//foswikiFormStep-->
+	</div><!--//foswikiFormSteps-->
+</form>
+
+<div class="foswikiHelp">
+%ICON{info}%
+%MAKETEXT{"If you have any questions, please contact [_1]" args="%WIKIWEBMASTER%"}%.
+%MAKETEXT{"[_1] has a list of other Foswiki users" args="%USERSWEB%.%WIKIUSERSTOPIC%"}%.
+</div>
+%ENDSECTION{"changePassword"}%
+</verbatim>
+-->
+---
+*%MAKETEXT{"Related topics:"}%* ResetPassword, ChangeEmailAddress, UserToolsCategory, AdminToolsCategory
+
+<!--
+   * Set DENYTOPICVIEW = WikiGuest
+-->
diff --git a/...pingContrib/data/System/ResetPassword.txt → ...ementPlugin/data/System/ResetPassword.txt b/...pingContrib/data/System/ResetPassword.txt → ...ementPlugin/data/System/ResetPassword.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1447730097" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1507692847" format="1.1" version="1"}%
 %META:TOPICPARENT{name="ChangePassword"}%
 ---+ %MAKETEXT{"Reset Password"}%
 
@@ -11,9 +11,10 @@
 <!--
 <verbatim class="foswikiHidden">
 %STARTSECTION{"resetPassword"}%
-%MAKETEXT{"After submitting this form, you will receive an e-mail with your new, system-generated password, and a link to a page where you can change it."}%
+%MAKETEXT{"After submitting this form, you will receive an e-mail with a one-time token that will grant you access to the [[[_1]][ChangePassword]] topic." arg1="%SYSTEMWEB%.ChangePassword"}%
+%MAKETEXT{"If you did not request a password reset, you can ignore the email message and your password will not be changed."}%
 
-<form name="resetpasswd" action="%SCRIPTURLPATH{"resetpasswd"}%/%USERSWEB%/%HOMETOPIC%" method="post">
+<form name="resetpasswd" action="%SCRIPTURLPATH{"rest"}%/PasswordManagementPlugin/resetPassword" method="post">
 <div class="foswikiFormSteps">
 <div class="foswikiFormStep">
 %X% %MAKETEXT{"You *must* have at least one valid registered e-mail to be able to reset your password. If none of your registered e-mail addresses is valid, and you have forgotten your password, contact [_1]." args="%WIKIWEBMASTER%"}%