auth: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition.

This commit consists of two parts: 1) Add user portal privileges to "Lobby: Password" as this replaces the legacy item 2) Rewire password policy constraints to use "ui/user_portal", which will be redirected to the legacy page when BE is not installed. The impact of this change should be small.
2026-03-13 08:09:41 +00:00 · 2025-03-17 11:50:30 +01:00 · 2025-03-17 11:50:30 +01:00 · d55ecc6ebe
commit d55ecc6ebe
parent 7140a2cf2b
4 changed files with 18 additions and 5 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@ -277,7 +277,12 @@ class ACL
    {
        if (!empty($_SESSION['user_shouldChangePassword'])) {
            // when a password change is enforced, lock all other endpoints
-            return $this->urlMatch($url, 'system_usermanager_passwordmg.php*');
+            foreach (['system_usermanager_passwordmg.php*', 'ui/user_portal', 'api/user_portal/user/*'] as $pattern) {
+                if ($this->urlMatch($url, $pattern)) {
+                    return true;
+                }
+            }
+            return false;
        }
        foreach ($this->urlMasks($username) as $urlmask) {
            if ($this->urlMatch($url, $urlmask)) {
@ -358,7 +363,7 @@ class ACL
    {
        if (!empty($_SESSION['user_shouldChangePassword'])) {
            // ACL lock, may only access password page
-            return "system_usermanager_passwordmg.php";
+            return "ui/user_portal";
        } elseif (!empty($this->userDatabase[$username]['landing_page'])) {
            // remove leading slash, which would result in redirection to //page (without host) after login or auth failure.
            $page = ltrim($this->userDatabase[$username]['landing_page'], '/');
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@ -648,6 +648,8 @@
        <name>Lobby: Password</name>
        <patterns>
            <pattern>system_usermanager_passwordmg.php*</pattern>
+            <pattern>ui/user_portal</pattern>
+            <pattern>api/user_portal/user/*</pattern>
        </patterns>
    </page-system-usermanager-passwordmg>
    <page-openvpn-client-export>
--- a/src/opnsense/www/index.php
+++ b/src/opnsense/www/index.php
@ -68,8 +68,14 @@ try {
            'action' => 'indexAction',
        ]);
    } catch (\OPNsense\Mvc\Exceptions\DispatchException) {
-        // unroutable (page not found), present page not found controller
-        $response = $router->routeRequest('/ui/core/index/index');
+        if ($_SERVER['REQUEST_URI'] === '/ui/user_portal') {
+            /* legacy user password manager requested, non BE install */
+            header('Location: /system_usermanager_passwordmg.php');
+            exit(0);
+        } else {
+            // unroutable (page not found), present page not found controller
+            $response = $router->routeRequest('/ui/core/index/index');
+        }
    }

    if (!$response->isSent()) {
--- a/src/www/authgui.inc
+++ b/src/www/authgui.inc
@ -197,7 +197,7 @@ function session_auth()
                    header(url_safe("Location: {$redir_uri}"));
                }
            } elseif (!empty($_SESSION['user_shouldChangePassword'])) {
-                header("Location: system_usermanager_passwordmg.php");
+                header("Location: /ui/user_portal");
            } else {
                if ($_SERVER['REQUEST_URI'] == "/") {
                    // default landing page