Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ability to change custom password fields, developped by @markus-96 (#864) #865

Merged
merged 2 commits into from
Apr 17, 2024
Merged

ability to change custom password fields, developped by @markus-96 (#864) #865

merged 2 commits into from
Apr 17, 2024

Conversation

davidcoutadeur
Copy link

Closes #864

@davidcoutadeur davidcoutadeur added this to the 1.6.0 milestone Mar 13, 2024
@davidcoutadeur davidcoutadeur self-assigned this Mar 13, 2024
This was referenced Mar 13, 2024
Closed
Closed
davidcoutadeur
davidcoutadeur commented Mar 13, 2024
View reviewed changes
Copy link
Author

@davidcoutadeur davidcoutadeur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markus-96

Here is a bunch of new remarks / comments:

  • basically, the code in changecustompwdfield.php is not working, there is much work to adapt it. For example, the checks on confirmpassword, newpassword and oldpassword are invalid, because you have replaced these fields by confirmcustompassword, newcustompassword and password. This is just an example, there are many other things to fix. Could you get the new branch change-custom-password-fields and fix these problems?

  • there is a big duplication of code in changecustompwdfield.php. Basically, this file is a copy / paste of change.php. I think we should make much more factorization here. For now, I don't know exactly what is the best approach, so just ignore it for the moment.

  • as you mentioned this before, some ppolicy checks are unusable, typically the pwd_no_reuse and pwd_diff_last_min_chars ones. The new ppolicy js code can be used for disabling these checks automatically. I will take this point in charge. The entropy of app-password could be displayed however. Why did you disable it?

  • the code in lib/functions.inc.php can be factorized from Passwords: check and create hashes, modify passwords ltb-common#7 I'll give a look to this PR.

  • check_password_strength and change_password signatures have changed, but there are still multiple places where these functions are called without the new arguments

@davidcoutadeur davidcoutadeur force-pushed the change-custom-password-fields branch 2 times, most recently from 22fdb3f to 43ca4cf Compare March 15, 2024 18:02
@markus-96 markus-96 mentioned this pull request Mar 18, 2024
Closed
@davidcoutadeur davidcoutadeur force-pushed the change-custom-password-fields branch 2 times, most recently from 1cb957e to a810f05 Compare April 8, 2024 18:18
@davidcoutadeur
Copy link
Author

Basically, the feature seems to work on my side.

I must do additional checks and especially give a look at the checkentropy modifications

@davidcoutadeur
Copy link
Author

Seems all good to me.

Many small fixes here:

  • simplification of the checkentropy check called by js (can be called by any page)
  • adding a new parameter: pwd_unique_across_custom_password_fields (see documentation)
  • fill-in documentation
  • simplification of default values
  • bug fixes

I have tested extensively the feature. The only bug I encounter sometimes is that the field that is modified is not the custompwdfield, but the userPassword. I suspect there is maybe a wrong redirection to index.php at some point, but I can't figure out where is the problem. (and can't reproduce)

I write it here in case we reproduce one day the issue.

@markus-96 could you do a last test of the feature, and tell me if everything is ok for you? If so, I'll squash and rebase the pull-request. Thank you for your multiple reviews and tests during this long-standing issue.

markus-96
markus-96 reviewed Apr 17, 2024
View reviewed changes
htdocs/change.php Outdated
@@ -158,8 +158,8 @@
#==============================================================================
# Check password strength
#==============================================================================
if ( !$result ) {
$result = check_password_strength( $newpassword, $oldpassword, $pwd_policy_config, $login, $entry_array );
if ( $result === "" ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has to be if ( !$result ) {.

Besides that, everything seams to be working as expected.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect, I have just fixed it in last commit. I am going to merge this

David Coutadeur added 2 commits April 17, 2024 19:00
ability to change custom password fields, developped by @markus-96 (#864
a6ed13f 
)
various refactoring around changecustompasswordfield feature (#864)
ea31808 
- fix change_password() call in changecustompwdfield
- fix check_password call in check_password_strength function
- improve custom password field documentation
- add new custom password parameters in default configuration file
- add missing parameters in custompwdfield doc
- clean default values in changecustompwdfield
- isolate policy parameter: pwd_unique_across_custom_password_fields
- fix tests (new param pwd_unique_across_custom_password_fields)
- add documentation for prehook / posthook in custompwdfield
- improve code readibility
- remove useless check for entropy page (#830, #864)
- always consider checkentropy as an available action (#830, #864)
- remove useless test (already done in ltb-ldap project)
- adapt changecustompwdfield.tpl to bootstrap 5.3 upgrade
- improve condition for testing check_password_strength
@davidcoutadeur davidcoutadeur merged commit e458c7e into master Apr 17, 2024
1 check passed
@davidcoutadeur davidcoutadeur deleted the change-custom-password-fields branch April 17, 2024 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markus-96 markus-96 markus-96 left review comments

Assignees

@davidcoutadeur davidcoutadeur

Labels
None yet
Projects
None yet
Milestone
1.6.0
Development

Successfully merging this pull request may close these issues.

feature: ability to change custom password fields
2 participants
@davidcoutadeur @markus-96