Process password change controller through Slim

author: ArthurHoaro <arthur@hoa.ro> 2020-05-27 13:35:48 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2020-07-23 21:19:21 +0200
commit: ef00f9d2033f6de11e71bf3a909399cae6f73a9f (patch)
tree: 96f47312084bab73be34495eed4280110a8ff258 /index.php
parent: ba43064ddb7771fc97df135a32f9b0d5e373dd36 (diff)
download: Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.tar.gz
Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.tar.zst
Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.zip
1 files changed, 4 insertions, 50 deletions
diff --git a/index.php b/index.php
index f4c8b391..ae56b800 100644
--- a/index.php
+++ b/index.php
@@ -507,56 +507,8 @@ function renderPage($conf, $pluginManager, $bookmarkService, $history, $sessionM
    // -------- User wants to change his/her password.
    if ($targetPage == Router::$PAGE_CHANGEPASSWORD) {
-        if ($conf->get('security.open_shaarli')) {
+        header('Location: ./password');
-            die(t('You are not supposed to change a password on an Open Shaarli.'));
+        exit;
-        }
-        if (!empty($_POST['setpassword']) && !empty($_POST['oldpassword'])) {
-            if (!$sessionManager->checkToken($_POST['token'])) {
-                die(t('Wrong token.')); // Go away!
-            }
-            // Make sure old password is correct.
-            $oldhash = sha1(
-                $_POST['oldpassword'].$conf->get('credentials.login').$conf->get('credentials.salt')
-            );
-            if ($oldhash != $conf->get('credentials.hash')) {
-                echo '<script>alert("'
-                    . t('The old password is not correct.')
-                    .'");document.location=\'./?do=changepasswd\';</script>';
-                exit;
-            }
-            // Save new password
-            // Salt renders rainbow-tables attacks useless.
-            $conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand()));
-            $conf->set(
-                'credentials.hash',
-                sha1(
-                    $_POST['setpassword']
-                    . $conf->get('credentials.login')
-                    . $conf->get('credentials.salt')
-                )
-            );
-            try {
-                $conf->write($loginManager->isLoggedIn());
-            } catch (Exception $e) {
-                error_log(
-                    'ERROR while writing config file after changing password.' . PHP_EOL .
-                    $e->getMessage()
-                );
-                // TODO: do not handle exceptions/errors in JS.
-                echo '<script>alert("'. $e->getMessage() .'");document.location=\'./tools\';</script>';
-                exit;
-            }
-            echo '<script>alert("'. t('Your password has been changed') .'");document.location=\'./tools\';</script>';
-            exit;
-        } else {
-            // show the change password form.
-            $PAGE->assign('pagetitle', t('Change password') .' - '. $conf->get('general.title', 'Shaarli'));
-            $PAGE->renderPage('changepassword');
-            exit;
-        }
    }
    // -------- User wants to change configuration
@@ -1504,6 +1456,8 @@ $app->group('', function () {
    /* -- LOGGED IN -- */
    $this->get('/logout', '\Shaarli\Front\Controller\Admin\LogoutController:index')->setName('logout');
    $this->get('/tools', '\Shaarli\Front\Controller\Admin\ToolsController:index')->setName('tools');
+    $this->get('/password', '\Shaarli\Front\Controller\Admin\PasswordController:index')->setName('password');
+    $this->post('/password', '\Shaarli\Front\Controller\Admin\PasswordController:change')->setName('changePassword');
    $this
        ->get('/links-per-page', '\Shaarli\Front\Controller\Admin\SessionFilterController:linksPerPage')
author	ArthurHoaro <arthur@hoa.ro>	2020-05-27 13:35:48 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2020-07-23 21:19:21 +0200
commit	ef00f9d2033f6de11e71bf3a909399cae6f73a9f (patch)
tree	96f47312084bab73be34495eed4280110a8ff258 /index.php
parent	ba43064ddb7771fc97df135a32f9b0d5e373dd36 (diff)
download	Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.tar.gz Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.tar.zst Shaarli-ef00f9d2033f6de11e71bf3a909399cae6f73a9f.zip

diff --git a/index.php b/index.php index f4c8b391..ae56b800 100644 --- a/index.php +++ b/index.php
@@ -507,56 +507,8 @@ function renderPage($conf, $pluginManager, $bookmarkService, $history, $sessionM
507		507
508	// -------- User wants to change his/her password.	508	// -------- User wants to change his/her password.
509	if ($targetPage == Router::$PAGE_CHANGEPASSWORD) {	509	if ($targetPage == Router::$PAGE_CHANGEPASSWORD) {
510	if ($conf->get('security.open_shaarli')) {	510	header('Location: ./password');
511	die(t('You are not supposed to change a password on an Open Shaarli.'));	511	exit;
512	}
513
514	if (!empty($_POST['setpassword']) && !empty($_POST['oldpassword'])) {
515	if (!$sessionManager->checkToken($_POST['token'])) {
516	die(t('Wrong token.')); // Go away!
517	}
518
519	// Make sure old password is correct.
520	$oldhash = sha1(
521	$_POST['oldpassword'].$conf->get('credentials.login').$conf->get('credentials.salt')
522	);
523	if ($oldhash != $conf->get('credentials.hash')) {
524	echo '<script>alert("'
525	. t('The old password is not correct.')
526	.'");document.location=\'./?do=changepasswd\';</script>';
527	exit;
528	}
529	// Save new password
530	// Salt renders rainbow-tables attacks useless.
531	$conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand()));
532	$conf->set(
533	'credentials.hash',
534	sha1(
535	$_POST['setpassword']
536	. $conf->get('credentials.login')
537	. $conf->get('credentials.salt')
538	)
539	);
540	try {
541	$conf->write($loginManager->isLoggedIn());
542	} catch (Exception $e) {
543	error_log(
544	'ERROR while writing config file after changing password.' . PHP_EOL .
545	$e->getMessage()
546	);
547
548	// TODO: do not handle exceptions/errors in JS.
549	echo '<script>alert("'. $e->getMessage() .'");document.location=\'./tools\';</script>';
550	exit;
551	}
552	echo '<script>alert("'. t('Your password has been changed') .'");document.location=\'./tools\';</script>';
553	exit;
554	} else {
555	// show the change password form.
556	$PAGE->assign('pagetitle', t('Change password') .' - '. $conf->get('general.title', 'Shaarli'));
557	$PAGE->renderPage('changepassword');
558	exit;
559	}
560	}	512	}
561		513
562	// -------- User wants to change configuration	514	// -------- User wants to change configuration
@@ -1504,6 +1456,8 @@ $app->group('', function () {
1504	/* -- LOGGED IN -- */	1456	/* -- LOGGED IN -- */
1505	$this->get('/logout', '\Shaarli\Front\Controller\Admin\LogoutController:index')->setName('logout');	1457	$this->get('/logout', '\Shaarli\Front\Controller\Admin\LogoutController:index')->setName('logout');
1506	$this->get('/tools', '\Shaarli\Front\Controller\Admin\ToolsController:index')->setName('tools');	1458	$this->get('/tools', '\Shaarli\Front\Controller\Admin\ToolsController:index')->setName('tools');
		1459	$this->get('/password', '\Shaarli\Front\Controller\Admin\PasswordController:index')->setName('password');
		1460	$this->post('/password', '\Shaarli\Front\Controller\Admin\PasswordController:change')->setName('changePassword');
1507		1461
1508	$this	1462	$this
1509	->get('/links-per-page', '\Shaarli\Front\Controller\Admin\SessionFilterController:linksPerPage')	1463	->get('/links-per-page', '\Shaarli\Front\Controller\Admin\SessionFilterController:linksPerPage')