Owen Leonard
85c4cd4712
The OPAC change password template enforces the OpacPasswordChange preference by preventing the form from appearing. However, the script doesn't contain any check for OpacPasswordChange so it is vulnerable to someone submitting data to it by some other means. This patch adds a check for OpacPasswordChange to the script and revises the template logic in order to show the right warning in all circumstances. To test, turn off OpacPasswordChange and navigate manually to opac-passwd.pl. You should see a warning that you can't change your password. Turn on OpacPasswordChange load the change password page and save the page to your desktop. Turn off OpacPasswordChange and submit a password change via the saved page. Without the patch this would result in a password change. After the patch it should not. Signed-off-by: Melia Meggs <melia@test.bywatersolutions.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Confirmed bug and made sure patch fixes it. Passes all tests and perlcritic. Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
61 lines
2.7 KiB
Text
61 lines
2.7 KiB
Text
[% INCLUDE 'doc-head-open.inc' %][% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog › Change your password
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
</head>
|
|
<body id="opac-passwd">
|
|
<div id="doc3" class="yui-t1">
|
|
<div id="bd">
|
|
[% INCLUDE 'masthead.inc' %]
|
|
|
|
<div id="yui-main">
|
|
<div class="yui-b"><div class="yui-g">
|
|
<div id="userpasswd" class="container">
|
|
<h3><a href="/cgi-bin/koha/opac-user.pl">[% firstname %] [% surname %]'s account</a> ⇢ Change your password </h3>
|
|
|
|
[% IF ( Error_messages ) %]
|
|
<div class="dialog error"> <h3>There was a problem with your submission</h3>
|
|
<p>
|
|
[% IF ( PassMismatch ) %]
|
|
Passwords do not match. Please re-type your new password.
|
|
[% END %]
|
|
[% IF ( ShortPass ) %]
|
|
Your new password must be at least [% minpasslen %] characters long
|
|
[% END %]
|
|
[% IF ( WrongPass ) %]
|
|
Your current password was entered incorrectly. If this problem persists, please ask a librarian to re-set your password for you.
|
|
[% END %]
|
|
</p></div>
|
|
[% END %]
|
|
|
|
[% IF ( OpacPasswordChange ) %]
|
|
[% IF ( Ask_data ) %]
|
|
<form action="/cgi-bin/koha/opac-passwd.pl" name="mainform" id="mainform" method="post"><fieldset class="brief">
|
|
[% UNLESS ( ShortPass ) %]<div class="hint">Your password must be at least [% minpasslen %] characters long.</div>[% END %]
|
|
<ol> <li><label for="Oldkey">Current password:</label> <input type="password" id="Oldkey" size="25" name="Oldkey" /></li>
|
|
<li><label for="Newkey">New password:</label> <input type="password" id="Newkey" size="25" name="Newkey" /></li>
|
|
<li><label for="Confirm">Re-type new password:</label> <input type="password" id="Confirm" size="25" name="Confirm" /></li></ol></fieldset>
|
|
<fieldset class="action"><input type="submit" value="Submit changes" class="submit" /> <a href="/cgi-bin/koha/opac-user.pl" class="cancel">Cancel</a></fieldset>
|
|
</form>
|
|
[% END %]
|
|
[% ELSE %]
|
|
<div class="dialog alert">You can't change your password.</div>
|
|
[% END %]
|
|
|
|
[% IF ( password_updated ) %]
|
|
<div class="dialog message"><h1>Password updated</h1>
|
|
Your password has been changed</div>
|
|
<form action="/cgi-bin/koha/opac-user.pl" method="post">
|
|
<input type="hidden" name="borrowernumber" value="[% borrowernumber %]" />
|
|
<p><input type="submit" class="icon back" value="Return to your record" /></p>
|
|
</form>
|
|
[% END %]
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="yui-b">
|
|
<div id="leftmenus" class="container">
|
|
[% INCLUDE 'navigation.inc' IsPatronPage=1 %]
|
|
</div>
|
|
</div>
|
|
</div>
|
|
[% INCLUDE 'opac-bottom.inc' %]
|