Force a back end user to change his password upon the next login (see #…

…2928)

CHANGELOG.md

@@ -4,6 +4,9 @@ Contao Open Source CMS Changelog
 Version 2.11.RC1 (XXXX-XX-XX)
 -----------------------------
 
+### New
+Force a back end user to change his password upon the next login (see #2928).
+
 ### Changed
 Make the user agent and OS list in the `Environment` class editable (see #3410).
 

contao/index.php

@@ -61,7 +61,7 @@ public function __construct()
 		// Redirect to the install tool
 		if (!Config::getInstance()->isComplete())
 		{
-			$this->redirect('install.php');
+			$this->redirect('contao/install.php');
 		}
 
 		$this->import('BackendUser', 'User');

contao/install.php

@@ -831,20 +831,22 @@ public function run()
 				{
 					$this->Template->adminError = $GLOBALS['TL_LANG']['ERR']['extnd'];
 				}
-
 				// Passwords do not match
 				elseif ($this->Input->post('pass') != $this->Input->post('confirm_pass'))
 				{
 					$this->Template->adminError = $GLOBALS['TL_LANG']['ERR']['passwordMatch'];
 				}
-
 				// Password too short
 				elseif (utf8_strlen($this->Input->post('pass')) < $GLOBALS['TL_CONFIG']['minPasswordLength'])
 				{
 					$this->Template->adminError = sprintf($GLOBALS['TL_LANG']['ERR']['passwordLength'], $GLOBALS['TL_CONFIG']['minPasswordLength']);
 				}
-
-				// Save data
+				// Password and username are the same
+				elseif ($this->Input->post('pass') == $this->Input->post('username'))
+				{
+					$this->Template->adminError = $GLOBALS['TL_LANG']['ERR']['passwordName'];
+				}
+				// Save the data
 				elseif ($this->Input->post('name') != '' && $this->Input->post('email', true) != '' && $this->Input->post('username') != '')
 				{
 					$strSalt = substr(md5(uniqid(mt_rand(), true)), 0, 23);

contao/main.php

@@ -68,14 +68,20 @@ public function __construct()
 		// Redirect to the install tool
 		if (!Config::getInstance()->isComplete())
 		{
-			$this->redirect('install.php');
+			$this->redirect('contao/install.php');
 		}
 
 		$this->import('BackendUser', 'User');
 		parent::__construct();
 
 		$this->User->authenticate();
 
+		// Password change required
+		if ($this->User->pwChange)
+		{
+			$this->redirect('contao/password.php');
+		}
+
 		$this->loadLanguageFile('default');
 		$this->loadLanguageFile('modules');
 	}
@@ -137,7 +143,7 @@ protected function welcomeScreen()
 			}
 		}
 
-		$objTemplate->messages = implode("\n", $arrMessages);
+		$objTemplate->messages = $this->getMessages(false, true) . "\n" . implode("\n", $arrMessages);
 		$objTemplate->arrGroups = $this->User->navigation(true);
  		$objTemplate->welcome = sprintf($GLOBALS['TL_LANG']['MSC']['welcomeTo'], $GLOBALS['TL_CONFIG']['websiteTitle']);
 		$objTemplate->systemMessages = $GLOBALS['TL_LANG']['MSC']['systemMessages'];

contao/password.php

@@ -0,0 +1,154 @@
+<?php
+
+/**
+ * Contao Open Source CMS
+ * Copyright (C) 2005-2011 Leo Feyer
+ *
+ * Formerly known as TYPOlight Open Source CMS.
+ *
+ * This program is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program. If not, please visit the Free
+ * Software Foundation website at <http://www.gnu.org/licenses/>.
+ *
+ * PHP version 5
+ * @copyright  Leo Feyer 2005-2011
+ * @author     Leo Feyer <http://www.contao.org>
+ * @package    Backend
+ * @license    LGPL
+ * @filesource
+ */
+
+
+/**
+ * Initialize the system
+ */
+define('TL_MODE', 'BE');
+require_once('../system/initialize.php');
+
+
+/**
+ * Class Index
+ *
+ * Provides a form to change the back end password.
+ * @copyright  Leo Feyer 2011
+ * @author     Leo Feyer <http://www.contao.org>
+ * @package    Controller
+ */
+class Index extends Backend
+{
+
+	/**
+	 * Initialize the controller
+	 * 
+	 * 1. Import the user
+	 * 2. Call the parent constructor
+	 * 3. Authenticate the user
+	 * 4. Load the language files
+	 * DO NOT CHANGE THIS ORDER!
+	 */
+	public function __construct()
+	{
+		$this->import('BackendUser', 'User');
+		parent::__construct();
+
+		$this->User->authenticate();
+
+		$this->loadLanguageFile('default');
+		$this->loadLanguageFile('modules');
+	}
+
+
+	/**
+	 * Run the controller and parse the password template
+	 */
+	public function run()
+	{
+		$this->Template = new BackendTemplate('be_password');
+
+		if ($this->Input->post('FORM_SUBMIT') == 'tl_password')
+		{
+			$pw = $this->Input->post('password');
+			$cnf = $this->Input->post('confirm');
+
+			// Do not allow special characters
+			if (preg_match('/[#\(\)\/<=>]/', html_entity_decode($this->Input->post('password'))))
+			{
+				$this->addErrorMessage($GLOBALS['TL_LANG']['ERR']['extnd']);
+			}
+			// Passwords do not match
+			elseif ($pw != $cnf)
+			{
+				$this->addErrorMessage($GLOBALS['TL_LANG']['ERR']['passwordMatch']);
+			}
+			// Password too short
+			elseif (utf8_strlen($pw) < $GLOBALS['TL_CONFIG']['minPasswordLength'])
+			{
+				$this->addErrorMessage(sprintf($GLOBALS['TL_LANG']['ERR']['passwordLength'], $GLOBALS['TL_CONFIG']['minPasswordLength']));
+			}
+			// Password and username are the same
+			elseif ($pw == $this->User->username)
+			{
+				$this->addErrorMessage($GLOBALS['TL_LANG']['ERR']['passwordName']);
+			}
+			// Save the data
+			else
+			{
+				list(, $strSalt) = explode(':', $this->User->password);
+				$strPassword = sha1($strSalt . $pw);
+
+				// Make sure the password has been changed
+				if ($strPassword . ':' . $strSalt == $this->User->password)
+				{
+					$this->addErrorMessage($GLOBALS['TL_LANG']['MSC']['pw_change']);
+				}
+				else
+				{
+					$strSalt = substr(md5(uniqid(mt_rand(), true)), 0, 23);
+					$strPassword = sha1($strSalt . $pw);
+
+					$this->Database->prepare("UPDATE tl_user SET password=?, pwChange='' WHERE id=?")
+								   ->execute($strPassword . ':' . $strSalt, $this->User->id);
+
+					$this->addConfirmationMessage($GLOBALS['TL_LANG']['MSC']['pw_changed']);
+					$this->redirect('contao/main.php');
+				}
+			}
+
+			$this->reload();
+		}
+
+		$this->Template->theme = $this->getTheme();
+		$this->Template->messages = $this->getMessages();
+		$this->Template->base = $this->Environment->base;
+		$this->Template->language = $GLOBALS['TL_LANGUAGE'];
+		$this->Template->title = $GLOBALS['TL_CONFIG']['websiteTitle'];
+		$this->Template->charset = $GLOBALS['TL_CONFIG']['characterSet'];
+		$this->Template->action = ampersand($this->Environment->request);
+		$this->Template->headline = $GLOBALS['TL_LANG']['MSC']['pw_change'];
+		$this->Template->submitButton = specialchars($GLOBALS['TL_LANG']['MSC']['continue']);
+		$this->Template->password = $GLOBALS['TL_LANG']['MSC']['password'][0];
+		$this->Template->confirm = $GLOBALS['TL_LANG']['MSC']['confirm'][0];
+		$this->Template->disableCron = $GLOBALS['TL_CONFIG']['disableCron'];
+
+		$this->Template->output();
+	}
+}
+
+
+/**
+ * Instantiate the controller
+ */
+$objIndex = new Index();
+$objIndex->run();
+
+?>

system/libraries/System.php

@@ -594,9 +594,10 @@ protected function addMessage($strMessage, $strType)
 	/**
 	 * Return all messages as HTML
 	 * @param boolean
+	 * @param boolean
 	 * @return string
 	 */
-	protected function getMessages($blnDcLayout=false)
+	protected function getMessages($blnDcLayout=false, $blnNoWrapper=false)
 	{
 		$strMessages = '';
 
@@ -632,7 +633,7 @@ protected function getMessages($blnDcLayout=false)
 		$strMessages = trim($strMessages);
 
 		// Wrapping container
-		if ($strMessages != '')
+		if (!$blnNoWrapper && $strMessages != '')
 		{
 			$strMessages = sprintf('%s<div class="tl_message">%s%s%s</div>%s', ($blnDcLayout ? "\n\n" : "\n"), "\n", $strMessages, "\n", ($blnDcLayout ? '' : "\n"));
 		}

system/modules/backend/config/database.sql

@@ -668,6 +668,7 @@ CREATE TABLE `tl_user` (
   `dateAdded` int(10) unsigned NOT NULL default '0',
   `currentLogin` int(10) unsigned NOT NULL default '0',
   `lastLogin` int(10) unsigned NOT NULL default '0',
+  `pwChange` char(1) NOT NULL default '',
   PRIMARY KEY  (`id`),
   UNIQUE KEY `username` (`username`),
   KEY `email` (`email`)

system/modules/backend/dca/tl_user.php

@@ -128,11 +128,11 @@
 	(
 		'__selector__'                => array('inherit', 'admin'),
 		'login'                       => '{name_legend},name,email;{backend_legend},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{session_legend},session;{password_legend},password',
-		'admin'                       => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password;{admin_legend},admin;{account_legend},disable,start,stop',
-		'default'                     => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password;{admin_legend},admin;{groups_legend},groups,inherit;{account_legend},disable,start,stop',
-		'group'                       => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password;{admin_legend},admin;{groups_legend},groups,inherit;{account_legend},disable,start,stop',
-		'extend'                      => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password;{admin_legend},admin;{groups_legend},groups,inherit;{modules_legend},modules,themes;{pagemounts_legend},pagemounts,alpty;{filemounts_legend},filemounts,fop;{forms_legend},forms,formp;{account_legend},disable,start,stop',
-		'custom'                      => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password;{admin_legend},admin;{groups_legend},groups,inherit;{modules_legend},modules,themes;{pagemounts_legend},pagemounts,alpty;{filemounts_legend},filemounts,fop;{forms_legend},forms,formp;{account_legend},disable,start,stop'
+		'admin'                       => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password,pwChange;{admin_legend},admin;{account_legend},disable,start,stop',
+		'default'                     => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password,pwChange;{admin_legend},admin;{groups_legend},groups,inherit;{account_legend},disable,start,stop',
+		'group'                       => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password,pwChange;{admin_legend},admin;{groups_legend},groups,inherit;{account_legend},disable,start,stop',
+		'extend'                      => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password,pwChange;{admin_legend},admin;{groups_legend},groups,inherit;{modules_legend},modules,themes;{pagemounts_legend},pagemounts,alpty;{filemounts_legend},filemounts,fop;{forms_legend},forms,formp;{account_legend},disable,start,stop',
+		'custom'                      => '{name_legend},username,name,email;{backend_legend:hide},language,backendTheme,showHelp,thumbnails,useRTE,useCE,fancyUpload;{password_legend:hide},password,pwChange;{admin_legend},admin;{groups_legend},groups,inherit;{modules_legend},modules,themes;{pagemounts_legend},pagemounts,alpty;{filemounts_legend},filemounts,fop;{forms_legend},forms,formp;{account_legend},disable,start,stop'
 	),
 
 	// Fields
@@ -231,6 +231,14 @@
 			'inputType'               => 'password',
 			'eval'                    => array('mandatory'=>true, 'rgxp'=>'extnd', 'minlength'=>$GLOBALS['TL_CONFIG']['minPasswordLength'])
 		),
+		'pwChange' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_user']['pwChange'],
+			'exclude'                 => true,
+			'inputType'               => 'checkbox',
+			'filter'                  => true,
+			'eval'                    => array('tl_class'=>'clr')
+		),
 		'admin' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_user']['admin'],

system/modules/backend/languages/de/default.php

@@ -43,7 +43,7 @@
 $GLOBALS['TL_LANG']['ERR']['alpha']             = 'Bitte geben Sie nur Buchstaben ein!';
 $GLOBALS['TL_LANG']['ERR']['alnum']             = 'Bitte geben Sie nur Buchstaben und Zahlen ein!';
 $GLOBALS['TL_LANG']['ERR']['phone']             = 'Bitte geben Sie eine gültige Telefonnummer ein!';
-$GLOBALS['TL_LANG']['ERR']['extnd']             = 'Aus Sicherheitsgründen können Sie diese Zeichen (=<>&/()#) hier nicht verwenden!';
+$GLOBALS['TL_LANG']['ERR']['extnd']             = 'Aus Sicherheitsgründen können Sie folgende Zeichen hier nicht verwenden: =<>&/()#';
 $GLOBALS['TL_LANG']['ERR']['email']             = 'Bitte geben Sie eine gültige E-Mail-Adresse ein!';
 $GLOBALS['TL_LANG']['ERR']['emails']            = 'Mindestens eine der E-Mail-Adressen ist ungültig!';
 $GLOBALS['TL_LANG']['ERR']['url']               = 'Bitte geben Sie ein gültiges URL-Format ein und kodieren Sie Sonderzeichen!';
@@ -361,6 +361,7 @@
 $GLOBALS['TL_LANG']['MSC']['continue']         = 'Weiter';
 $GLOBALS['TL_LANG']['MSC']['skipNavigation']   = 'Navigation überspringen';
 $GLOBALS['TL_LANG']['MSC']['selectAll']        = 'Alle auswählen';
+$GLOBALS['TL_LANG']['MSC']['pw_change']        = 'Bitte geben Sie ein neues Passwort ein';
 $GLOBALS['TL_LANG']['MSC']['pw_changed']       = 'Das Passwort wurde aktualisiert.';
 $GLOBALS['TL_LANG']['MSC']['fallback']         = 'Standard';
 $GLOBALS['TL_LANG']['MSC']['view']             = 'In einem neuen Fenster ansehen';

system/modules/backend/languages/de/tl_user.php

@@ -42,6 +42,7 @@
 $GLOBALS['TL_LANG']['tl_user']['useRTE']       = array('Rich Text Editor verwenden', 'Den Rich Text Editor zur Textformatierung verwenden.');
 $GLOBALS['TL_LANG']['tl_user']['useCE']        = array('Code-Editor verwenden', 'Den Code-Editor zur Bearbeitung von Code-Elementen verwenden.');
 $GLOBALS['TL_LANG']['tl_user']['fancyUpload']  = array('FancyUpload aktivieren', 'Falls FancyUpload in Ihrem Browser nicht fehlerfrei läuft, können Sie das Skript hier deaktivieren.');
+$GLOBALS['TL_LANG']['tl_user']['pwChange']     = array('Passwort-Änderung notwendig', 'Zwingt den Benutzer, sein Passwort bei der nächsten Anmeldung zu ändern.');
 $GLOBALS['TL_LANG']['tl_user']['admin']        = array('Zum Administrator machen', 'Administratoren haben uneingeschränkten Zugriff auf alle Module und Elemente!');
 $GLOBALS['TL_LANG']['tl_user']['groups']       = array('Benutzergruppen', 'Hier können Sie den Benutzer einer oder mehreren Gruppen zuweisen.');
 $GLOBALS['TL_LANG']['tl_user']['inherit']      = array('Rechtevererbung', 'Hier können Sie festlegen, welche Gruppenrechte der Benutzer erbt.');

system/modules/backend/languages/en/default.php

@@ -43,7 +43,7 @@
 $GLOBALS['TL_LANG']['ERR']['alpha']             = 'Please enter alphabetic characters only!';
 $GLOBALS['TL_LANG']['ERR']['alnum']             = 'Please enter alphanumeric characters only!';
 $GLOBALS['TL_LANG']['ERR']['phone']             = 'Please enter a valid phone number!';
-$GLOBALS['TL_LANG']['ERR']['extnd']             = 'For security reasons you can not use these characters (=<>&/()#) here!';
+$GLOBALS['TL_LANG']['ERR']['extnd']             = 'For security reasons you can not use the following characters here: =<>&/()#';
 $GLOBALS['TL_LANG']['ERR']['email']             = 'Please enter a valid e-mail address!';
 $GLOBALS['TL_LANG']['ERR']['emails']            = 'There is at least one invalid e-mail address!';
 $GLOBALS['TL_LANG']['ERR']['url']               = 'Please enter a valid URL format and encode special characters!';
@@ -361,6 +361,7 @@
 $GLOBALS['TL_LANG']['MSC']['continue']         = 'Continue';
 $GLOBALS['TL_LANG']['MSC']['skipNavigation']   = 'Skip navigation';
 $GLOBALS['TL_LANG']['MSC']['selectAll']        = 'Select all';
+$GLOBALS['TL_LANG']['MSC']['pw_change']        = 'Please enter a new password';
 $GLOBALS['TL_LANG']['MSC']['pw_changed']       = 'The password has been updated.';
 $GLOBALS['TL_LANG']['MSC']['fallback']         = 'default';
 $GLOBALS['TL_LANG']['MSC']['view']             = 'View in a new window';

system/modules/backend/languages/en/tl_user.php

@@ -42,6 +42,7 @@
 $GLOBALS['TL_LANG']['tl_user']['useRTE']       = array('Enable the rich text editor', 'Use the rich text editor to format text elements.');
 $GLOBALS['TL_LANG']['tl_user']['useCE']        = array('Enable the code editor', 'Use the code editor to modify code elements.');
 $GLOBALS['TL_LANG']['tl_user']['fancyUpload']  = array('Use FancyUpload', 'If FancyUpload does not work properly in your web browser, you can deactivate the script here.');
+$GLOBALS['TL_LANG']['tl_user']['pwChange']     = array('Password change required', 'Make the user change his password upon the next login.');
 $GLOBALS['TL_LANG']['tl_user']['admin']        = array('Make the user an administrator', 'Administrators have unlimited access to all modules and elements!');
 $GLOBALS['TL_LANG']['tl_user']['groups']       = array('User groups', 'Here you can assign the user to one or more groups.');
 $GLOBALS['TL_LANG']['tl_user']['inherit']      = array('Permission inheritance', 'Here you can define which group permissions the user inherits.');