From d55ecc6ebe87c2c2997be1b85627c533b350326e Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 17 Mar 2025 11:50:30 +0100 Subject: [PATCH] auth: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition. This commit consists of two parts: 1) Add user portal privileges to "Lobby: Password" as this replaces the legacy item 2) Rewire password policy constraints to use "ui/user_portal", which will be redirected to the legacy page when BE is not installed. The impact of this change should be small. --- src/opnsense/mvc/app/models/OPNsense/Core/ACL.php | 9 +++++++-- src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml | 2 ++ src/opnsense/www/index.php | 10 ++++++++-- src/www/authgui.inc | 2 +- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php index bda3809f4..92540c96c 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php +++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php @@ -277,7 +277,12 @@ class ACL { if (!empty($_SESSION['user_shouldChangePassword'])) { // when a password change is enforced, lock all other endpoints - return $this->urlMatch($url, 'system_usermanager_passwordmg.php*'); + foreach (['system_usermanager_passwordmg.php*', 'ui/user_portal', 'api/user_portal/user/*'] as $pattern) { + if ($this->urlMatch($url, $pattern)) { + return true; + } + } + return false; } foreach ($this->urlMasks($username) as $urlmask) { if ($this->urlMatch($url, $urlmask)) { @@ -358,7 +363,7 @@ class ACL { if (!empty($_SESSION['user_shouldChangePassword'])) { // ACL lock, may only access password page - return "system_usermanager_passwordmg.php"; + return "ui/user_portal"; } elseif (!empty($this->userDatabase[$username]['landing_page'])) { // remove leading slash, which would result in redirection to //page (without host) after login or auth failure. $page = ltrim($this->userDatabase[$username]['landing_page'], '/'); diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml index 1af69767f..7099c5c0d 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml @@ -648,6 +648,8 @@ Lobby: Password system_usermanager_passwordmg.php* + ui/user_portal + api/user_portal/user/* diff --git a/src/opnsense/www/index.php b/src/opnsense/www/index.php index 3d6323ee2..658e350e4 100644 --- a/src/opnsense/www/index.php +++ b/src/opnsense/www/index.php @@ -68,8 +68,14 @@ try { 'action' => 'indexAction', ]); } catch (\OPNsense\Mvc\Exceptions\DispatchException) { - // unroutable (page not found), present page not found controller - $response = $router->routeRequest('/ui/core/index/index'); + if ($_SERVER['REQUEST_URI'] === '/ui/user_portal') { + /* legacy user password manager requested, non BE install */ + header('Location: /system_usermanager_passwordmg.php'); + exit(0); + } else { + // unroutable (page not found), present page not found controller + $response = $router->routeRequest('/ui/core/index/index'); + } } if (!$response->isSent()) { diff --git a/src/www/authgui.inc b/src/www/authgui.inc index 996279bab..bdc5fa19a 100644 --- a/src/www/authgui.inc +++ b/src/www/authgui.inc @@ -197,7 +197,7 @@ function session_auth() header(url_safe("Location: {$redir_uri}")); } } elseif (!empty($_SESSION['user_shouldChangePassword'])) { - header("Location: system_usermanager_passwordmg.php"); + header("Location: /ui/user_portal"); } else { if ($_SERVER['REQUEST_URI'] == "/") { // default landing page