diff --git a/src/www/system_usermanager_passwordmg.php b/src/www/system_usermanager_passwordmg.php index 05b004a62..33e5db2ac 100644 --- a/src/www/system_usermanager_passwordmg.php +++ b/src/www/system_usermanager_passwordmg.php @@ -30,6 +30,7 @@ require_once("guiconfig.inc"); require_once("system.inc"); +require_once("base32/Base32.php"); $username = $_SESSION['Username']; @@ -42,6 +43,18 @@ foreach ($config['system']['user'] as $user) { } } +/* determine if the user is allowed to request a new OTP seed */ +$user_allow_gen_token = false; +if (isset($config['system']['user_allow_gen_token'])) { + $usergroups = getUserGroups($username); + foreach(explode(",", $config['system']['user_allow_gen_token']) as $groupname) { + if (in_array($groupname, $usergroups)) { + $user_allow_gen_token = true; + break; + } + } +} + if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig = array(); @@ -56,49 +69,68 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $input_errors = array(); $pconfig = $_POST; - /* we can continue without a password if nothing was provided */ - if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') { - if ($pconfig['passwordfld1'] != $pconfig['passwordfld2'] || - !password_verify($pconfig['passwordfld0'], $config['system']['user'][$userindex[$username]]['password'])) { - $input_errors[] = gettext("The passwords do not match."); + if (!empty($pconfig['request_otp_seed'])) { + if ($user_allow_gen_token && $userFound) { + $new_seed = Base32\Base32::encode(openssl_random_pseudo_bytes(20)); + $config['system']['user'][$userindex[$username]]['otp_seed'] = $new_seed; + write_config(); + $otp_url = "otpauth://totp/"; + $otp_url .= $username."@".htmlspecialchars($config['system']['hostname'])."?secret="; + $otp_url .= $new_seed; + echo json_encode([ + "otp_seed" => $new_seed , + "otp_seed_url" => $otp_url, + "status" => "ok" + ]); + } else { + echo json_encode(["status" => "failed"]); } - - if (!$userFound) { - $input_errors[] = gettext("Sorry, you cannot change settings for a non-local user."); - } elseif (count($input_errors) == 0) { - $authenticator = get_authenticator(); - $input_errors = $authenticator->checkPolicy($username, $pconfig['passwordfld0'], $pconfig['passwordfld1']); - } - } - - if (count($input_errors) == 0) { - if (!empty($pconfig['language'])) { - $config['system']['user'][$userindex[$username]]['language'] = $pconfig['language']; - } elseif (isset($config['system']['user'][$userindex[$username]]['language'])) { - unset($config['system']['user'][$userindex[$username]]['language']); - } - - // only update password change date if there is a policy constraint - if (!empty($config['system']['webgui']['enable_password_policy_constraints']) && - !empty($config['system']['webgui']['password_policy_length']) - ) { - $config['system']['user'][$userindex[$username]]['pwd_changed_at'] = microtime(true); - } - if (!empty($_SESSION['user_shouldChangePassword'])) { - session_start(); - unset($_SESSION['user_shouldChangePassword']); - session_write_close(); - } - if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') { - local_user_set_password($config['system']['user'][$userindex[$username]], $pconfig['passwordfld1']); - local_user_set($config['system']['user'][$userindex[$username]]); - } - - write_config(); - - $unused_but_needed_for_translation = gettext('Saved settings for user "%s"'); - header(url_safe('Location: /system_usermanager_passwordmg.php?savemsg=%s', array('Saved settings for user "%s"'))); exit; + } else { + /* we can continue without a password if nothing was provided */ + if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') { + if ($pconfig['passwordfld1'] != $pconfig['passwordfld2'] || + !password_verify($pconfig['passwordfld0'], $config['system']['user'][$userindex[$username]]['password'])) { + $input_errors[] = gettext("The passwords do not match."); + } + + if (!$userFound) { + $input_errors[] = gettext("Sorry, you cannot change settings for a non-local user."); + } elseif (count($input_errors) == 0) { + $authenticator = get_authenticator(); + $input_errors = $authenticator->checkPolicy($username, $pconfig['passwordfld0'], $pconfig['passwordfld1']); + } + } + + if (count($input_errors) == 0) { + if (!empty($pconfig['language'])) { + $config['system']['user'][$userindex[$username]]['language'] = $pconfig['language']; + } elseif (isset($config['system']['user'][$userindex[$username]]['language'])) { + unset($config['system']['user'][$userindex[$username]]['language']); + } + + // only update password change date if there is a policy constraint + if (!empty($config['system']['webgui']['enable_password_policy_constraints']) && + !empty($config['system']['webgui']['password_policy_length']) + ) { + $config['system']['user'][$userindex[$username]]['pwd_changed_at'] = microtime(true); + } + if (!empty($_SESSION['user_shouldChangePassword'])) { + session_start(); + unset($_SESSION['user_shouldChangePassword']); + session_write_close(); + } + if ($pconfig['passwordfld1'] !== '' || $pconfig['passwordfld2'] !== '') { + local_user_set_password($config['system']['user'][$userindex[$username]], $pconfig['passwordfld1']); + local_user_set($config['system']['user'][$userindex[$username]]); + } + + write_config(); + + $unused_but_needed_for_translation = gettext('Saved settings for user "%s"'); + header(url_safe('Location: /system_usermanager_passwordmg.php?savemsg=%s', array('Saved settings for user "%s"'))); + exit; + } } } @@ -107,6 +139,43 @@ legacy_html_escape_form_data($pconfig); include("head.inc"); ?> + + + +
@@ -121,7 +190,7 @@ include("head.inc"); } ?>
-
+
@@ -174,6 +243,25 @@ include("head.inc"); + +
+
+
+ + + + + + + +
+
+ + +
+
+
+