From e941dfdc9974bc6d1eb44134d0e00f5e6f120105 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Wed, 26 Jan 2022 12:10:49 +0000 Subject: [PATCH] Bug 29925: Add a password reset page for expired passwords This patch adds a new page opac-reset-password where a user cna enter their login (userid or carndumber), current password, and new password. If the user has a password expiration date and the current password is correct and the new passwords match and meet requirements their password will be updated and the expiration date reset A patron whose password does not expire will be reidrected to login to change their password To test: 1 - Apply patch, updatedatabase, enable new syspref EnableExpiredPasswordReset 2 - Set 'Password expiration' for a patron category Home->Administration->Patron categories->Edit 3 - Create a new patron in this category with a userid/password set, and an email 4 - Update the patron with an expiration to be expired UPDATE borrowers SET password_expiration='2022-01-01' WHERE borrowernumber=51; 5 - Give the borrower catalogue permission 6 - Attempt to log in to Straff interface 7 - Confirm you are signed out and notified that password must be reset 8 - Click 'Reset your password' link 9 - You should see the reset password page with fields for: login, current password, new password, conmfirm password 10 - enter invalid/incomplete credentials 11 - Confirm you are notified of invlaid credentials 12 - Fill in all fields, but enter current password as new password 13 - Confirm you are notified of no change 14 - Set minimum password length / strong password requirement for category 15 - Confirm you receive error if new password too short or not secure 16 - Enter a valid new password and submit and confirm update is successful 17 - Confirm you have buttons to go to OPAC or Staff and that both work 18 - Confirm you cna log in (i.e. expiration has been reset) 19 - Expire the users password 20 - Remove catalogue permission 21 - Reset password again and confirm only OPAC link Signed-off-by: Bob Bennhoff Signed-off-by: Tomas Cohen Arazi Signed-off-by: Fridolin Somers --- .../atomicupdate/bug_29925_password_reset.pl | 15 ++ .../en/modules/admin/preferences/patrons.pref | 8 + .../intranet-tmpl/prog/en/modules/auth.tt | 4 +- .../bootstrap/en/modules/opac-auth.tt | 6 +- .../en/modules/opac-reset-password.tt | 157 ++++++++++++++++++ opac/opac-reset-password.pl | 107 ++++++++++++ 6 files changed, 294 insertions(+), 3 deletions(-) create mode 100755 installer/data/mysql/atomicupdate/bug_29925_password_reset.pl create mode 100644 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reset-password.tt create mode 100755 opac/opac-reset-password.pl diff --git a/installer/data/mysql/atomicupdate/bug_29925_password_reset.pl b/installer/data/mysql/atomicupdate/bug_29925_password_reset.pl new file mode 100755 index 0000000000..67e2628480 --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_29925_password_reset.pl @@ -0,0 +1,15 @@ +use Modern::Perl; + +return { + bug_number => "29925", + description => "Add password reset option", + up => sub { + my ($args) = @_; + my ($dbh, $out) = @$args{qw(dbh out)}; + $dbh->do(q{ + INSERT IGNORE INTO systempreferences ( `variable`, `value`, `options`, `explanation`, `type` ) VALUES + ('EnableExpiredPasswordReset', '0', NULL, 'Enable ability for patrons with expired password to reset their password directly', 'YesNo') + }); + say $out "Added EnableExpirePasswordReset system preference"; + }, +}; diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref index 76ebd9fd09..871c63722f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/patrons.pref @@ -365,6 +365,14 @@ Patrons: 0: "Don't require" - a strong password for staff and patrons - (must contain at least one digit, one lowercase and one uppercase). + - + - pref: EnableExpiredPasswordReset + choices: + 1: "Enable" + 0: "Don't enable" + - the ability for patrons to directly reset their password when it is expired. + - If not enable patrons must either use the 'Forgot your password' feature or have staff + - reset their password. - - Block a patron's account if it reaches - pref: FailedLoginAttempts diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt index 736b54fa44..1306f6a1e5 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt @@ -52,7 +52,9 @@ [% END %] [% ELSIF password_has_expired %]
Error: Your password has expired!
- [% IF Categories.can_any_reset_password && Koha.Preference('OpacBaseURL') %] + [% IF Koha.Preference('EnableExpiredPasswordReset') && Koha.Preference('OpacBaseURL') %] + You must reset your password. + [% ELSIF Categories.can_any_reset_password && Koha.Preference('OpacBaseURL') %] You must reset your password. [% ELSE %]

You must contact the library to have your password reset

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index acba29d1b0..0fd0d32bba 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -171,9 +171,11 @@

Error: Your password has expired!

- [% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %] + [% IF Koha.Preference('EnableExpiredPasswordReset') %] + Reset your password. + [% ELSIF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %] [% ELSE %]

You must contact the library to reset your password

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reset-password.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reset-password.tt new file mode 100644 index 0000000000..c770189a48 --- /dev/null +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-reset-password.tt @@ -0,0 +1,157 @@ +[% USE raw %] +[% USE Koha %] +[% USE Categories %] +[% USE AdditionalContents %] +[% PROCESS 'html_helpers.inc' %] +[% INCLUDE 'doc-head-open.inc' %] + + Reset your password + › + [% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog + +[% INCLUDE 'doc-head-close.inc' %] +[% BLOCK cssinclude %][% END %] + +[% INCLUDE 'bodytag.inc' bodyid='opac-login-page' bodyclass='scrollto' %] +[% INCLUDE 'masthead.inc' %] + +
+
+ +[% INCLUDE 'opac-bottom.inc' %] +[% BLOCK jsinclude %] + [% Asset.js("lib/jquery/plugins/jquery.validate.min.js") | $raw %] + +[% END %] diff --git a/opac/opac-reset-password.pl b/opac/opac-reset-password.pl new file mode 100755 index 0000000000..2090ddae93 --- /dev/null +++ b/opac/opac-reset-password.pl @@ -0,0 +1,107 @@ +#!/usr/bin/perl + +# This file is part of Koha. +# +# Koha is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# Koha is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Koha; if not, see . + +use Modern::Perl; + +use CGI qw ( -utf8 ); + +use C4::Auth qw( get_template_and_user checkpw checkpw_hash ); +use C4::Context; +use C4::Output qw( output_html_with_http_headers ); +use Koha::Patrons; + +use Try::Tiny qw( catch try ); + +my $query = CGI->new; + +my ( $template, $borrowernumber, $cookie ) = get_template_and_user( + { + template_name => "opac-reset-password.tt", + query => $query, + type => "opac", + authnotrequired => 1, + } +); + +my $op = $query->param('op'); + +if ( $op eq 'update' ) { + my $userid = $query->param('userid'); + my $currentpassword = $query->param('currentpassword'); + my $newpassword = $query->param('newpassword'); + my $confirmpassword = $query->param('confirmpassword'); + + my $patron = Koha::Patrons->find( { userid => $userid } ); + $patron = Koha::Patrons->find( { cardnumber => $userid } ) unless $patron; + + if ( $patron && $patron->password_expiration_date ) { + if ( $patron->account_locked ) { + $template->param( error => 'account_locked' ); + } + elsif ( $currentpassword && $newpassword && $confirmpassword ) { + my $error; + if ( C4::Auth::checkpw_hash( $currentpassword, $patron->password ) ) { + + if ( $newpassword ne $confirmpassword ) { + $template->param( 'error' => 'passwords_mismatch' ); + } + elsif ( $currentpassword eq $newpassword ) { + $template->param( 'error' => 'no_change' ); + } + else { + try { + $patron->set_password( { password => $newpassword } ); + $template->param( 'password_updated' => '1' ); + $template->param( 'staff_access' => 1 ) + if $patron->has_permission( { catalogue => 1 } ); + } + catch { + $error = 'password_too_short' + if $_->isa('Koha::Exceptions::Password::TooShort'); + $error = 'password_too_weak' + if $_->isa('Koha::Exceptions::Password::TooWeak'); + $error = 'password_has_whitespaces' + if $_->isa( + 'Koha::Exceptions::Password::WhitespaceCharacters'); + $template->param( 'error' => $error ); + }; + } + } + else { + $template->param( 'error' => 'invalid_credentials' ); + $patron->update( + { login_attempts => $patron->login_attempts + 1 } ) + if !$patron->account_locked; + } + } + else { + $template->param( 'incomplete_form' => '1' ); + } + } + elsif ( !$patron ) { + template->param( 'error' => 'invalid_credentials' ); + } + elsif ( !$patron->password_expiration_date ) { + $template->param( 'error' => 'no_expire' ); + } + else { + $template->param( 'error' => 'unknown' ); + } +} + +output_html_with_http_headers $query, $cookie, $template->output, undef, + { force_no_caching => 1 }; -- 2.39.5