zarb-ml/mageia-sysadm/2011-January/002385.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-sysadm] [337] Add a means to filter out users who arent allowed to reset passwords with only
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B337%5D%20Add%20a%20means%20to%20filter%20out%20users%20who%20arent%0A%20allowed%20to%20reset%20passwords%20with%20only&In-Reply-To=%3C20110122135556.CD32142D9A%40valstar.mageia.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="002384.html">
   <LINK REL="Next"  HREF="002386.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-sysadm] [337] Add a means to filter out users who arent allowed to reset passwords with only</H1>
    <B>root at mageia.org</B> 
    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B337%5D%20Add%20a%20means%20to%20filter%20out%20users%20who%20arent%0A%20allowed%20to%20reset%20passwords%20with%20only&In-Reply-To=%3C20110122135556.CD32142D9A%40valstar.mageia.org%3E"
       TITLE="[Mageia-sysadm] [337] Add a means to filter out users who arent allowed to reset passwords with only">root at mageia.org
       </A><BR>
    <I>Sat Jan 22 14:55:56 CET 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="002384.html">[Mageia-sysadm] [877] Change ACL for non-privileged users to not work on reset model, instead allow
</A></li>
        <LI>Next message: <A HREF="002386.html">[Mageia-sysadm] [338] Ugly code rejecting submit when buildrequires	are missing
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#2385">[ date ]</a>
              <a href="thread.html#2385">[ thread ]</a>
              <a href="subject.html#2385">[ subject ]</a>
              <a href="author.html#2385">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Revision: 337
Author:   buchan
Date:     2011-01-22 14:55:56 +0100 (Sat, 22 Jan 2011)
Log Message:
-----------
Add a means to filter out users who arent allowed to reset passwords with only
email verification (by default users who don't match (!(objectclass=posixAccount))
Fix email template to use configurable project url

Modified Paths:
--------------
    identity/CatDap/trunk/catdap.yml
    identity/CatDap/trunk/lib/CatDap/Controller/forgot_password.pm
    identity/CatDap/trunk/root/email/forgot_password.tt

Modified: identity/CatDap/trunk/catdap.yml
===================================================================
--- identity/CatDap/trunk/catdap.yml	2011-01-22 09:38:25 UTC (rev 336)
+++ identity/CatDap/trunk/catdap.yml	2011-01-22 13:55:56 UTC (rev 337)
@@ -40,6 +40,7 @@
                 path:   '/tmp/'
                 prefix: 'catdap-forgot_password-'
                 timeout: 259200
+        allow_filter: '(!(objectClass=posixAccount))'
 
 authentication:
         default_realm: ldap

Modified: identity/CatDap/trunk/lib/CatDap/Controller/forgot_password.pm
===================================================================
--- identity/CatDap/trunk/lib/CatDap/Controller/forgot_password.pm	2011-01-22 09:38:25 UTC (rev 336)
+++ identity/CatDap/trunk/lib/CatDap/Controller/forgot_password.pm	2011-01-22 13:55:56 UTC (rev 337)
@@ -57,28 +57,38 @@
 	$c-&gt;log-&gt;debug(&quot;Searching for email $email with filter $emailfilter&quot;);
 	my $mesg = $c-&gt;model('Proxy')-&gt;search($emailfilter);
 
-	$c-&gt;log-&gt;info(printf(&quot;Search failed: %s&quot;),$mesg-&gt;error)	if ($mesg-&gt;code);
+	if ($mesg-&gt;code) {
+		$c-&gt;log-&gt;info(printf(&quot;Search failed: %s&quot;),$mesg-&gt;error);
+		push @errors, $c-&gt;loc('Error while searching for account: ') . $mesg-&gt;error;
+	}
 	my @entries = $mesg-&gt;entries;
 	if (@entries != 1) {
 		push @errors,$c-&gt;loc(
 			'This email address is not bound to an account'
 		);
 	}
+	my $checkfilter = '(&amp;' . $c-&gt;config-&gt;{'forgot_password'}{'allow_filter'} . 
+	  $emailfilter . ')';
+	$c-&gt;log-&gt;info(sprintf(&quot;Checking if user passes allow_filter $checkfilter&quot;));
+	$mesg = $c-&gt;model('Proxy')-&gt;search($checkfilter);
+	if ($mesg-&gt;code) {
+		$c-&gt;log-&gt;info(printf(&quot;Search failed: %s&quot;),$mesg-&gt;error);
+		push @errors, $c-&gt;loc('Error while searching for account: ') . $mesg-&gt;error;
 
+	}
+	my @checkentries = $mesg-&gt;entries;
+	if (@entries == 1 and @checkentries != 1) {
+		push @errors,$c-&gt;loc(
+			'Privileged accounts may not recover passwords via this mechanism'
+		);
+	}
+
 	if (@errors) {
 		$c-&gt;stash(errors =&gt; \@errors);
 		$c-&gt;stash(template =&gt; 'forgot_password/index.tt');
 		return;
 	}
 
-	if ($mesg-&gt;code) {
-		push @errors,$mesg-&gt;error;
-		$c-&gt;log-&gt;info( sprintf(&quot;finding email $email failed: %s&quot;, $mesg-&gt;error) );
-		$c-&gt;stash(errors =&gt; \@errors);
-		$c-&gt;stash(template =&gt; 'register/index.tt');
-		return;
-	}
-
 	my $secret = gen_secret($c, $email);
 
 	$c-&gt;stash(
@@ -89,7 +99,7 @@
 			'template'	=&gt; 'forgot_password.tt',
 		},
 		url =&gt; $c-&gt;uri_for('/forgot_password/confirm') . &quot;?secret=$secret&quot;,
-		cn =&gt; @entries[0]-&gt;cn,
+		cn =&gt; $entries[0]-&gt;cn,
 	);
 
 	$c-&gt;log-&gt;info(&quot;Sending forgot password mail to email address $email&quot;);

Modified: identity/CatDap/trunk/root/email/forgot_password.tt
===================================================================
--- identity/CatDap/trunk/root/email/forgot_password.tt	2011-01-22 09:38:25 UTC (rev 336)
+++ identity/CatDap/trunk/root/email/forgot_password.tt	2011-01-22 13:55:56 UTC (rev 337)
@@ -4,4 +4,4 @@
 [% url %]
 
 --
-<A HREF="http://mageia.org/">http://mageia.org/</A>
+[% c.config.project_url %]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;/pipermail/mageia-sysadm/attachments/20110122/71753e02/attachment.html&gt;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="002384.html">[Mageia-sysadm] [877] Change ACL for non-privileged users to not work on reset model, instead allow
</A></li>
	<LI>Next message: <A HREF="002386.html">[Mageia-sysadm] [338] Ugly code rejecting submit when buildrequires	are missing
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#2385">[ date ]</a>
              <a href="thread.html#2385">[ thread ]</a>
              <a href="subject.html#2385">[ subject ]</a>
              <a href="author.html#2385">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>