Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch makes the templates relying on the OpacResetPassword syspref
use the introduced TT plugin method instead by changing:
[% IF Koha.Preference('OpacResetPassword') %]
=>
[% IF Categories.can_any_reset_password %]
To test:
- Verify that all the places in which the 'forgot password' link is
displayed in OPAC keep working, provided there's at least one category
that has the flag set
- Attempt to recover the password for a patron that belong to a valid
category (i.e. that has the flag set)
=> SUCCESS: You can go through the normal process
- Attempt to recover the password for a patron that belongs to a
category with the flag unset.
=> SUCCESS: Once Koha identifies your category, you are told you are not
allowed to do it
- Sign off :-D
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies the OPAC password recovery template so that the new
password entry form doesn't appear if the patron has followed an invalid
or expired link.
This patch also corrects the markup in the page title.
To test, apply the patch and follow the process for resetting a
forgotten password. When you follow the password recovery link, modify
the URL so that the "uniqueKey" parameter is different.
The page should show an error message. The password entry form should
not appear.
Check the page title in the browser's title bar. It should look correct.
https://bugs.koha-community.org/show_bug.cgi?id=22520
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies a few templates in the OPAC so that all available
information on password requirements is displayed for each case where
the patron is setting a password:
- If the RequireStrongPassword system preference is set, a message
should appear listing strong password requirements and minimum
password length.
- If RequireStrongPassword is not set, the message should only ask for
a minimum password length.
To test, apply the patch and enable the PatronSelfRegistration and
OpacResetPassword preferences.
On the following pages, test with RequireStrongPassword both on and
off. The correct messages should appear.
- OPAC -> Forgot password. Follow the process to reset your password
until you reach the step where you are entering the new password.
- OPAC -> Register here. Check the password section of the registration
form.
- OPAC -> Log in -> Change your password.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch is a reimplementation of the original from Indranil Das Gupta
and the QA follow-up from Julian Maurice. Original test plan:
Conformance rules for HTML5 is generating warnings for <script> element
with type="text/javascript" attribute when the OPAC page is checked
with W3C Validator. This patch removes the cause of these warnings.
Test plan
=========
1/ Paste the URL to your OPAC page (if it is hosted) to W3C Validator
and watch about 10+ warnings being generated by the validator.
2/ Apply patch and re-submit the page to the Validator. The warnings
would be gone.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Follow the test plan in comment #20.
Also tweaked string, because it was really 'or' before too.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended text in added comment.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
TEST PLAN
---------
It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.
You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.
$ git checkout -b bug_18956 origin/master
Prepend the following as understood between step sections:
opac -> forgot password and then enter...
correct login/cardnumber, it will email
delete from borrower_password_recovery;
correct email, it will email
delete from borrower_password_recovery;
correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;
wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;
correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;
wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;
submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;
-- None of the above step sections displayed email.
correct login/cardnumber, it will email
correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;
correct email, it will email
correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;
$ git bz apply 18956
-- choose interactive, and choose this counter patch.
repeat the same test set again
-- no leaks will occur, error message pages returned should
be reasonable, code should read reasonably.
run koha qa test tools.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.
Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!
This patch makes things consistent everywhere and clean up some code.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In OPAC password recovery form autocomplete is not disabled.
So when login or email is entered, it is saved in browser input history for autocomplete.
This is a major issue for OPAC on computers with public access.
This patch adds autocomplete off on forms.
Test :
- Enable system preferences OpacPasswordChange and OpacResetPassword
- Go to OPAC
- Be sure to not be logged in
- Click on "Forgot your password?"
- Enter a loggin and email and Submit
=> Without patch there is an autocompletion with values you entered
=> With patch there is no autocompletion
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To reproduce:
- Create 3 Accounts, login names are test01, test02, test03, Email is the same
for all.
- Go to OPAC -> Password recovery and indicate E-Mail only
- You will get an email for only one of the accounts above.
To test:
- Apply patch, restart memcached and plack
- Go to db, delete from borrower_password_recovery;
- Try steps above to reproduce. You will get an error message:
Account identification with this email address only is ambiguous.
Please use the field 'Login' as well.
- Verify that other cases work as before (provide valid / invalid login only,
provide valid email for an existing account, provide unknown email, provide
both login and email with all combinations of valid / invalid)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 16711: (QA-followup) Use count directly
See comment # 13
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
OPAC password recovery allows to find out which email address belongs to an account. An attacker could systematically guess login names. If they hit an existing one, OPAC displays a message like:
An email has been sent to "xxx@yyy.zz".
Having a combination of login name and email, attackers could use the information e.g. for phishing or other personalized actions.
To reproduce:
- Enable OPAC password recovery (syspref OpacResetPassword)
- 'Guess' a login name e.g. by using a common pattern like ptester for Peter Tester
- If such account exists, you get to know the related email address
This patch removes the email address from the success message. Additionaly, it changes
wording to address Bug 18570 ('will be sent' instead of 'has been sent')
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Simplified the wording. "Will be sent shortly" is used elsewhere too.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fixes issues with the translatability of opac-password-recovery.tt
To test:
- Apply patch
- Verify that text changes make sense.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Koha already has a sub that creates salts, so lets use that instead of math::Random::secure, so as not to add a new dependency.
Made the references to "Forgotten password" consistent, including adding it to the title of the page.
Also removed the individual error for "this email doesn't belong to this account" as that could expose the existence of a login, which I think we'd rather not do.
Made some of the text more grammatically correct, and more library specific.
To test:
Apply on top of all of the other patches.
All the usual checks, plus make sure there are no typos in any text references.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Followup changes text from "The user can reset | can not reset their password on OPAC" to "Library users are allowed | not allowed to recover their password via e-mail in the OPAC"
This change more clearly differentiates the purpose of this new preference from OpacPasswordChange.
Bug 8753 - followup - update text for link to match common UI paradigms, fixes OpacPublic disabled view
Also corrects OpacNav being included on the reset page on private catalogues.
Updated the link for forgotten passwords to more closely match common UI paradigms, i.e. Facebook and Twitter
To test:
apply all patches, link should now be the less verbose "Forgot your password?"
disable OpacPublic, anything in opacnav should not appear (you may need to add something to opacnav to test properly)
Bug 8753 - [followup] fix the title on opac-password-recovery.tt
The title stanza was missing a <title></title> around it, causing the extra text to appear.
To test, apply all patches and make sure it looks ok and there is no extra text at the top or bottom of the page.
Bug 8753 - [followup} Correcting spelling mistakes
Make sure it all still works
Bug 8753 - [followup] fix error when no information is provided
To test:
All normal checks plus make sure that a nice error is displayed when no data is provided.
fixing the deprecated thing
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
I've addressed a lot of Liz Rea's points.
1. I have moved the code from updatedatabase.pl and kohastructure.sql to a file in the atomicupdates directory.
1a. The feature is now off by default when the atomicupdate is run.
2. The password reset link is now visible on the home page, in the modal box and on opac-user.pl .
3. The password recovery pages now use bootstrap markup.
4. I am unsure here. I see "New Password:" and "Confirm new password:".
5. This should still work :).
6. I could not reproduce.
7. I have added the userid field.
You can now reset the password by submitting either your useid or email address.
Both fields can be filled, but the email address must be one of the borrower's (email, emailpro or b_email).
When entering only the email address and two borrowers use that same address, the system tells the user to try with another address or to specify his userid.
8. The text is in the atomicupdate file. Have at it, anyone.
Concerning the email. It is inconvenient for the use to have to wait X minutes for the message queue the be processed.
Maybe we could add a sub in Letters.pm that:
Takes the same argments as EnqueueLetter
Sends the letter.
Saves the letter in the message queue with a 'sent' status.
TEST PLAN:
Setup)
1) apply the patch
2) go to system preferences OPAC>>Privacy and set 'OpacResetPassword' to ON.
2b) make sure that OpacPasswordChange is also ON.
A)
1) refresh front page, click on 'Forgot your password' and enter a VALID address
1b) Also try an INVALID address (valid yet not in your koha db). An error message will show up.
2) An email should be received at that address with a link.
3) Follow the link in the mail to fill the new password.
Until a satisfactory new password is entered, the old password is not reset.
4) Go to main page try the new password.
B)
1) Repeat the password reset, this time use the userid (username) field.
2) Try to reset the password using a userid and an email not linked to the account. An error appears.
3) Make sure the borrower has many available email addresses.
4) For each email, reset the password using both the userid and the email. The link should be sent to the specified address
C)
1) Make sure two borrowers use the same email.
2) Repeat the reset procedure in test case A). An error message appears
http://bugs.koha-community.org/show_bug.cgi?id=13068
Author: Maxime Beaulieu <maxime.beaulieu@inlibro.com>
Followed test plan. Works as described.
Signed-off-by: Marc Veron <veron@veron.ch>
New sign-off after testing all patches together
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>