From 3b2760c6ff9ce4e3e140478de793eec957a0384b Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Wed, 8 Feb 2012 17:55:00 +0000 Subject: [PATCH] support forced password changes in self service (bug 3483907) --- lam/lib/baseModule.inc | 6 ++++-- lam/lib/modules/asteriskAccount.inc | 5 +++-- lam/lib/modules/asteriskVoicemail.inc | 5 +++-- lam/lib/modules/inetOrgPerson.inc | 12 ++++++++++-- lam/lib/modules/kolabUser.inc | 12 ++++++++++-- lam/lib/modules/posixAccount.inc | 12 ++++++++++-- lam/lib/modules/sambaSamAccount.inc | 5 +++-- lam/lib/selfService.inc | 10 ++++++---- 8 files changed, 49 insertions(+), 18 deletions(-) diff --git a/lam/lib/baseModule.inc b/lam/lib/baseModule.inc index 5b2738c5..d579a631 100644 --- a/lam/lib/baseModule.inc +++ b/lam/lib/baseModule.inc @@ -1231,11 +1231,12 @@ abstract class baseModule { * * @param array $fields list of active fields * @param array $attributes attributes of LDAP account + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return htmlElement meta HTML object * * @see htmlElement */ - public function getSelfServiceOptions($fields, $attributes) { + public function getSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { // this function must be overwritten by subclasses. return array(); } @@ -1253,9 +1254,10 @@ abstract class baseModule { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - public function checkSelfServiceOptions($fields, $attributes) { + public function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); return $return; } diff --git a/lam/lib/modules/asteriskAccount.inc b/lam/lib/modules/asteriskAccount.inc index 2314c598..3276d61d 100644 --- a/lam/lib/modules/asteriskAccount.inc +++ b/lam/lib/modules/asteriskAccount.inc @@ -1577,11 +1577,12 @@ class asteriskAccount extends baseModule implements passwordService { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); - if (!in_array_ignore_case('AsteriskSIPUser', $attributes['objectClass'])) { + if (!isset($attributes['objectClass']) || !in_array_ignore_case('AsteriskSIPUser', $attributes['objectClass'])) { return $return; } if (isset($_POST['posixAccount_password']) && ($_POST['posixAccount_password'] != '')) { diff --git a/lam/lib/modules/asteriskVoicemail.inc b/lam/lib/modules/asteriskVoicemail.inc index 94eccf3b..91ac9e9d 100644 --- a/lam/lib/modules/asteriskVoicemail.inc +++ b/lam/lib/modules/asteriskVoicemail.inc @@ -587,11 +587,12 @@ class asteriskVoicemail extends baseModule implements passwordService { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); - if (!in_array_ignore_case('AsteriskVoiceMail', $attributes['objectClass'])) { + if (!isset($attributes['objectClass']) || !in_array_ignore_case('AsteriskVoiceMail', $attributes['objectClass'])) { return $return; } if (isset($_POST['posixAccount_password']) && ($_POST['posixAccount_password'] != '')) { diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc index 633ce6fc..5fe6bda9 100644 --- a/lam/lib/modules/inetOrgPerson.inc +++ b/lam/lib/modules/inetOrgPerson.inc @@ -2478,10 +2478,14 @@ class inetOrgPerson extends baseModule implements passwordService { * * @param array $fields list of active fields * @param array $attributes attributes of LDAP account + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array meta HTML */ - function getSelfServiceOptions($fields, $attributes) { + function getSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array(); + if ($passwordChangeOnly) { + return $return; // no fields as long no LDAP content can be read + } if (in_array('firstName', $fields)) { $firstName = ''; if (isset($attributes['givenName'][0])) $firstName = $attributes['givenName'][0]; @@ -2677,10 +2681,14 @@ class inetOrgPerson extends baseModule implements passwordService { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); + if ($passwordChangeOnly) { + return $return; // skip processing if only a password change is done + } $attributeNames = array(); // list of attributes which should be checked for modification $attributesNew = $attributes; // first name diff --git a/lam/lib/modules/kolabUser.inc b/lam/lib/modules/kolabUser.inc index 89f4f2e7..644d694f 100644 --- a/lam/lib/modules/kolabUser.inc +++ b/lam/lib/modules/kolabUser.inc @@ -818,9 +818,13 @@ class kolabUser extends baseModule { * * @param array $fields list of active fields * @param array $attributes attributes of LDAP account + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array meta HTML */ - function getSelfServiceOptions($fields, $attributes) { + function getSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { + if ($passwordChangeOnly) { + return array(); // no Kolab fields as long no LDAP content can be read + } if (!in_array('kolabInetOrgPerson', $attributes['objectClass'])) { return array(); } @@ -926,10 +930,14 @@ class kolabUser extends baseModule { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); + if ($passwordChangeOnly) { + return $return; // skip processing if only a password change is done + } if (!in_array_ignore_case('kolabInetOrgPerson', $attributes['objectClass'])) { return $return; } diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc index f44646e1..599d0dde 100644 --- a/lam/lib/modules/posixAccount.inc +++ b/lam/lib/modules/posixAccount.inc @@ -2067,9 +2067,10 @@ class posixAccount extends baseModule implements passwordService { * * @param array $fields list of active fields * @param array $attributes attributes of LDAP account + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array meta HTML */ - function getSelfServiceOptions($fields, $attributes) { + function getSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array(); if (in_array('password', $fields)) { $pwdTable = new htmlTable(); @@ -2084,6 +2085,9 @@ class posixAccount extends baseModule implements passwordService { $pwdTable )); } + if ($passwordChangeOnly) { + return $return; // only password fields as long no LDAP content can be read + } if (in_array('cn', $fields)) { $cn = ''; if (isset($attributes['cn'][0])) $cn = $attributes['cn'][0]; @@ -2115,9 +2119,10 @@ class posixAccount extends baseModule implements passwordService { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); if (in_array('password', $fields)) { if (isset($_POST['posixAccount_password']) && ($_POST['posixAccount_password'] != '')) { @@ -2145,6 +2150,9 @@ class posixAccount extends baseModule implements passwordService { } } } + if ($passwordChangeOnly) { + return $return; // skip processing if only a password change is done + } if (in_array('cn', $fields)) { if (isset($_POST['posixAccount_cn']) && ($_POST['posixAccount_cn'] != '')) { if (!get_preg($_POST['posixAccount_cn'], 'cn')) { diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc index 9d6c022b..ab73c1e9 100644 --- a/lam/lib/modules/sambaSamAccount.inc +++ b/lam/lib/modules/sambaSamAccount.inc @@ -2090,11 +2090,12 @@ class sambaSamAccount extends baseModule implements passwordService { * * @param string $fields input fields * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and attributes (array('messages' => array(), 'add' => array('mail' => array('test@test.com')), 'del' => array(), 'mod' => array(), 'info' => array())) */ - function checkSelfServiceOptions($fields, $attributes) { + function checkSelfServiceOptions($fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); - if (!in_array_ignore_case('sambaSamAccount', $attributes['objectClass'])) { + if (!isset($attributes['objectClass']) || !in_array_ignore_case('sambaSamAccount', $attributes['objectClass'])) { return $return; } if (isset($_POST['posixAccount_password']) && ($_POST['posixAccount_password'] != '')) { diff --git a/lam/lib/selfService.inc b/lam/lib/selfService.inc index 87ff6459..3c0b8609 100644 --- a/lam/lib/selfService.inc +++ b/lam/lib/selfService.inc @@ -90,15 +90,16 @@ function getSelfServiceFieldSettings($scope) { * @param string $scope account type * @param array $fields input fields (array( => array(, , ...))) * @param array $attributes LDAP attributes (attribute names in lower case) + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array meta HTML code (array( => htmlTableRow)) */ -function getSelfServiceOptions($scope, $fields, $attributes) { +function getSelfServiceOptions($scope, $fields, $attributes, $passwordChangeOnly) { $return = array(); $modules = getAvailableModules($scope); for ($i = 0; $i < sizeof($modules); $i++) { if (!isset($fields[$modules[$i]])) continue; $m = new $modules[$i]($scope); - $code = $m->getSelfServiceOptions($fields[$modules[$i]], $attributes); + $code = $m->getSelfServiceOptions($fields[$modules[$i]], $attributes, $passwordChangeOnly); if (sizeof($code) > 0) $return[$modules[$i]] = $code; } return $return; @@ -111,15 +112,16 @@ function getSelfServiceOptions($scope, $fields, $attributes) { * @param string $scope account type * @param string $fields input fields (array( => array(, , ...))) * @param array $attributes LDAP attributes + * @param boolean $passwordChangeOnly indicates that the user is only allowed to change his password and no LDAP content is readable * @return array messages and LDAP commands (array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array())) */ -function checkSelfServiceOptions($scope, $fields, $attributes) { +function checkSelfServiceOptions($scope, $fields, $attributes, $passwordChangeOnly) { $return = array('messages' => array(), 'add' => array(), 'del' => array(), 'mod' => array(), 'info' => array()); $modules = getAvailableModules($scope); for ($i = 0; $i < sizeof($modules); $i++) { if (!isset($fields[$modules[$i]])) continue; $m = new $modules[$i]($scope); - $result = $m->checkSelfServiceOptions($fields[$modules[$i]], $attributes); + $result = $m->checkSelfServiceOptions($fields[$modules[$i]], $attributes, $passwordChangeOnly); if (sizeof($result['messages']) > 0) $return['messages'] = array_merge($result['messages'], $return['messages']); if (sizeof($result['add']) > 0) $return['add'] = array_merge($result['add'], $return['add']); if (sizeof($result['del']) > 0) $return['del'] = array_merge($result['del'], $return['del']);