N°2306 - Security hardening

application/loginwebpage.class.inc.php

@@ -189,51 +189,52 @@ class LoginWebPage extends NiceWebPage
 			UserRights::Login($sAuthUser); // Set the user's language (if possible!)
             /** @var UserInternal $oUser */
             $oUser = UserRights::GetUserObject();
-			if ($oUser == null)
+
+			if ($oUser != null)
 			{
-				throw new Exception(Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser));
-			}
-			if (!MetaModel::IsValidAttCode(get_class($oUser), 'reset_pwd_token'))
-			{
-				throw new Exception(Dict::S('UI:ResetPwd-Error-NotPossible'));
-			}
-			if (!$oUser->CanChangePassword())
-			{
-				throw new Exception(Dict::S('UI:ResetPwd-Error-FixedPwd'));
-			}
-			
-			$sTo = $oUser->GetResetPasswordEmail(); // throws Exceptions if not allowed
-			if ($sTo == '')
-			{
-				throw new Exception(Dict::S('UI:ResetPwd-Error-NoEmail'));
+				if (!MetaModel::IsValidAttCode(get_class($oUser), 'reset_pwd_token'))
+				{
+					throw new Exception(Dict::S('UI:ResetPwd-Error-NotPossible'));
+				}
+				if (!$oUser->CanChangePassword())
+				{
+					throw new Exception(Dict::S('UI:ResetPwd-Error-FixedPwd'));
+				}
+
+				$sTo = $oUser->GetResetPasswordEmail(); // throws Exceptions if not allowed
+				if ($sTo == '')
+				{
+					throw new Exception(Dict::S('UI:ResetPwd-Error-NoEmail'));
+				}
+
+				// This token allows the user to change the password without knowing the previous one
+				$sToken = substr(md5(APPROOT.uniqid()), 0, 16);
+				$oUser->Set('reset_pwd_token', $sToken);
+				CMDBObject::SetTrackInfo('Reset password');
+				$oUser->AllowWrite(true);
+				$oUser->DBUpdate();
+
+				$oEmail = new Email();
+				$oEmail->SetRecipientTO($sTo);
+				$sFrom = MetaModel::GetConfig()->Get('forgot_password_from');
+				$oEmail->SetRecipientFrom($sFrom);
+				$oEmail->SetSubject(Dict::S('UI:ResetPwd-EmailSubject', $oUser->Get('login')));
+				$sResetUrl = utils::GetAbsoluteUrlAppRoot().'pages/UI.php?loginop=reset_pwd&auth_user='.urlencode($oUser->Get('login')).'&token='.urlencode($sToken);
+				$oEmail->SetBody(Dict::Format('UI:ResetPwd-EmailBody', $sResetUrl, $oUser->Get('login')));
+				$iRes = $oEmail->Send($aIssues, true /* force synchronous exec */);
+				switch ($iRes)
+				{
+					//case EMAIL_SEND_PENDING:
+					case EMAIL_SEND_OK:
+						break;
+
+					case EMAIL_SEND_ERROR:
+					default:
+						IssueLog::Error('Failed to send the email with the NEW password for '.$oUser->Get('friendlyname').': '.implode(', ', $aIssues));
+						throw new Exception(Dict::S('UI:ResetPwd-Error-Send'));
+				}
 			}
 
-			// This token allows the user to change the password without knowing the previous one
-			$sToken = substr(md5(APPROOT.uniqid()), 0, 16);
-			$oUser->Set('reset_pwd_token', $sToken);
-			CMDBObject::SetTrackInfo('Reset password');
-			$oUser->AllowWrite(true);
-			$oUser->DBUpdate();
-
-			$oEmail = new Email();
-			$oEmail->SetRecipientTO($sTo);
-			$sFrom = MetaModel::GetConfig()->Get('forgot_password_from');
-			$oEmail->SetRecipientFrom($sFrom);
-			$oEmail->SetSubject(Dict::S('UI:ResetPwd-EmailSubject', $oUser->Get('login')));
-			$sResetUrl = utils::GetAbsoluteUrlAppRoot().'pages/UI.php?loginop=reset_pwd&auth_user='.urlencode($oUser->Get('login')).'&token='.urlencode($sToken);
-			$oEmail->SetBody(Dict::Format('UI:ResetPwd-EmailBody', $sResetUrl, $oUser->Get('login')));
-			$iRes = $oEmail->Send($aIssues, true /* force synchronous exec */);
-			switch ($iRes)
-			{
-				//case EMAIL_SEND_PENDING:
-				case EMAIL_SEND_OK:
-					break;
-		
-				case EMAIL_SEND_ERROR:
-				default:
-					IssueLog::Error('Failed to send the email with the NEW password for '.$oUser->Get('friendlyname').': '.implode(', ', $aIssues));
-					throw new Exception(Dict::S('UI:ResetPwd-Error-Send'));
-			}
 
 			$oTwigContext = new LoginTwigRenderer();
 			$aVars = $oTwigContext->GetDefaultVars();

dictionaries/cs.dictionary.itop.ui.php

@@ -535,7 +535,6 @@ Dict::Add('CS CZ', 'Czech', 'Čeština', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'účet není spojen s osobou s uvedenou emailovou adresou. Kontaktujte administrátora.',
 	'UI:ResetPwd-Error-NoEmail' => 'chybí emailová adresa. Kontaktujte administrátora.',
 	'UI:ResetPwd-Error-Send' => 'technický problém při odesílání emailu. Kontaktujte administrátora.',
-	'UI:ResetPwd-EmailSent' => 'Vyčkejte na příchod emailové zprávy a postupujte dle instrukcí...',
 	'UI:ResetPwd-EmailSubject' => 'Obnovení hesla pro iTop',
 	'UI:ResetPwd-EmailBody' => '<body><p>Vyžádali jste obovení hesla pro iTop.</p><p>Pokračujte kliknutím na následující <a href="%1$s">jednorázový odkaz</a> a zadejte nové heslo.</p>',
 

dictionaries/da.dictionary.itop.ui.php

@@ -522,7 +522,6 @@ Dict::Add('DA DA', 'Danish', 'Dansk', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/de.dictionary.itop.ui.php

@@ -521,7 +521,6 @@ Dict::Add('DE DE', 'German', 'Deutsch', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'das Benutzerkonto ist nicht mit einer Person verknüpft, die eine Mailadresse besitzt. Bitte wenden Sie sich an Ihren Administrator. ',
 	'UI:ResetPwd-Error-NoEmail' => 'die email Adresse dieses Accounts fehlt. Bitte kontaktieren Sie Ihren Administrator.',
 	'UI:ResetPwd-Error-Send' => 'Beim Versenden der Email trat ein technisches Problem auf. Bitte kontaktieren Sie Ihren Administrator.',
-	'UI:ResetPwd-EmailSent' => 'Bitte schauen Sie in Ihre Mailbox und folgen Sie den Anweisungen.',
 	'UI:ResetPwd-EmailSubject' => 'Zurücksetzen Ihres iTop-Passworts',
 	'UI:ResetPwd-EmailBody' => '<body><p>Sie haben das Zurücksetzen Ihres iTop Passworts angefordert.</p><p>Bitte folgen Sie diesem Link (funktioniert nur einmalig) : <a href="%1$s">neues Passwort eingeben</a></p>.',
 

dictionaries/en.dictionary.itop.ui.php

@@ -537,7 +537,7 @@ Dict::Add('EN US', 'English', 'English', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...',
+	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions. If you receive no email, please check the login you typed.',
 	'UI:ResetPwd-EmailSubject' => 'Reset your '.ITOP_APPLICATION_SHORT.' password',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your '.ITOP_APPLICATION_SHORT.' password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.',
 

dictionaries/es_cr.dictionary.itop.ui.php

@@ -533,7 +533,6 @@ Dict::Add('ES CR', 'Spanish', 'Español, Castellaño', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'La cuenta no está asociada a una persona con correo electrónico. Por favor contacte al administrador.',
 	'UI:ResetPwd-Error-NoEmail' => 'Falta dirección de correo electrónico. Por favor contacte al administrador.',
 	'UI:ResetPwd-Error-Send' => 'Falla al envar un correo. Por favor contacte al administrador.',
-	'UI:ResetPwd-EmailSent' => 'Por favor verifique su buzón de correo y siga las instrucciones...',
 	'UI:ResetPwd-EmailSubject' => 'Restablecer contraseña de iTop',
 	'UI:ResetPwd-EmailBody' => '<body><p>Ha solicitado restablecer su contraseña en iTop.</p><p>Por favor de click en la siguiente liga: <a href="%1$s">proporcione una nueva contraseña</a></p>.',
 

dictionaries/fr.dictionary.itop.ui.php

@@ -520,7 +520,7 @@ Dict::Add('FR FR', 'French', 'Français', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'il manque un attribut de type "email" sur la Personne associée à ce compte. Veuillez contacter l\'administrateur de l\'application.',
 	'UI:ResetPwd-Error-NoEmail' => 'il manque une adresse email sur la Personne associée à ce compte. Veuillez contacter l\'administrateur de l\'application.',
 	'UI:ResetPwd-Error-Send' => 'erreur technique lors de l\'envoi de l\'email. Veuillez contacter l\'administrateur de l\'application.',
-	'UI:ResetPwd-EmailSent' => 'Veuillez vérifier votre boîte de réception. Ensuite, suivez les instructions données dans l\'email...',
+	'UI:ResetPwd-EmailSent' => 'Veuillez vérifier votre boîte de réception. Ensuite, suivez les instructions données dans l\'email. Si vous ne recevez pas d\'email, merci de vérifier le login saisit',
 	'UI:ResetPwd-EmailSubject' => 'Changer votre mot de passe iTop',
 	'UI:ResetPwd-EmailBody' => '<body><p>Vous avez demandé à changer votre mot de passe iTop sans connaitre le mot de passe précédent.</p><p>Veuillez suivre le lien suivant (usage unique) afin de pouvoir <a href="%1$s">saisir un nouveau mot de passe</a></p>.',
 

dictionaries/hu.dictionary.itop.ui.php

@@ -520,7 +520,6 @@ Dict::Add('HU HU', 'Hungarian', 'Magyar', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/it.dictionary.itop.ui.php

@@ -533,7 +533,6 @@ Dict::Add('IT IT', 'Italian', 'Italiano', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/ja.dictionary.itop.ui.php

@@ -520,7 +520,6 @@ Dict::Add('JA JP', 'Japanese', '日本語', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/nl.dictionary.itop.ui.php

@@ -539,7 +539,6 @@ Dict::Add('NL NL', 'Dutch', 'Nederlands', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'deze account is niet gelinkt aan een persoon waarvan een e-mailadres gekend is. Neem contact op met jouw beheerder.',
 	'UI:ResetPwd-Error-NoEmail' => 'Er mist een e-mailadres. Neem contact op met jouw beheerder.',
 	'UI:ResetPwd-Error-Send' => 'Er is een technisch probleem bij het verzenden van de e-mail. Neem contact op met jouw beheerder.',
-	'UI:ResetPwd-EmailSent' => 'Kijk in jouw mailbox en volg de instructies...',
 	'UI:ResetPwd-EmailSubject' => 'Reset jouw iTop-wachtwoord',
 	'UI:ResetPwd-EmailBody' => '<body><p>U hebt een reset van jouw iTop-wachtwoord aangevraagd.</p><p>Klik op deze link (eenmalig gebruik) om <a href="%1$s">een nieuw wachtwoord in te voeren</a></p>.',
 

dictionaries/pt_br.dictionary.itop.ui.php

@@ -533,7 +533,6 @@ Dict::Add('PT BR', 'Brazilian', 'Brazilian', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'a conta não está associada a uma pessoa que contenha um endereço de e-mail. Por favor, contate o administrador.',
 	'UI:ResetPwd-Error-NoEmail' => 'faltando um endereço de e-mail. Por favor, contate o administrador.',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.',
-	'UI:ResetPwd-EmailSent' => 'Por favor, verifique seu email e siga as instruções...',
 	'UI:ResetPwd-EmailSubject' => 'Alterar a senha',
 	'UI:ResetPwd-EmailBody' => '<body><p>Você solicitou a alteração da senha do iTop.</p><p>Por favor, siga este link (passo simples) para <a href="%1$s">digitar a nova senha</a></p>.',
 

dictionaries/ru.dictionary.itop.ui.php

@@ -512,7 +512,6 @@ Dict::Add('RU RU', 'Russian', 'Русский', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'аккаунт не ассоциирован с персоной, имеющей атрибут электронной почты. Пожалуйста, обратитесь к администратору.',
 	'UI:ResetPwd-Error-NoEmail' => 'отсутствует адрес электронной почты. Пожалуйста, обратитесь к администратору.',
 	'UI:ResetPwd-Error-Send' => 'технические проблемы с отправкой электронной почты. Пожалуйста, обратитесь к администратору.',
-	'UI:ResetPwd-EmailSent' => 'Пожалуйста, проверьте свой почтовый ящик и следуйте инструкциям.',
 	'UI:ResetPwd-EmailSubject' => 'Восстановление пароля',
 	'UI:ResetPwd-EmailBody' => '<body><p>Вы запросили восстановление пароля iTop.</p><p>Пожалуйста, воспользуйтесь <a href="%1$s">этой ссылкой</a> для задания нового пароля.</p></body>',
 

dictionaries/sk.dictionary.itop.ui.php

@@ -520,7 +520,6 @@ Dict::Add('SK SK', 'Slovak', 'Slovenčina', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/tr.dictionary.itop.ui.php

@@ -534,7 +534,6 @@ Dict::Add('TR TR', 'Turkish', 'Türkçe', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => 'the account is not associated to a person having an email attribute. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-NoEmail' => 'missing an email address. Please Contact your administrator.~~',
 	'UI:ResetPwd-Error-Send' => 'email transport technical issue. Please Contact your administrator.~~',
-	'UI:ResetPwd-EmailSent' => 'Please check your email box and follow the instructions...~~',
 	'UI:ResetPwd-EmailSubject' => 'Reset your iTop password~~',
 	'UI:ResetPwd-EmailBody' => '<body><p>You have requested to reset your iTop password.</p><p>Please follow this link (single usage) to <a href="%1$s">enter a new password</a></p>.~~',
 

dictionaries/zh_cn.dictionary.itop.ui.php

@@ -533,7 +533,6 @@ Dict::Add('ZH CN', 'Chinese', '简体中文', array(
 	'UI:ResetPwd-Error-NoEmailAtt' => '该账户未关联邮箱地址，请联系管理员.',
 	'UI:ResetPwd-Error-NoEmail' => '缺少邮箱地址. 请联系管理员.',
 	'UI:ResetPwd-Error-Send' => '邮件传输存在技术原因. 请联系管理员.',
-	'UI:ResetPwd-EmailSent' => '请检查邮箱并按照提示操作...',
 	'UI:ResetPwd-EmailSubject' => '重置iTop 密码',
 	'UI:ResetPwd-EmailBody' => '<body><p>您已请求重置iTop 密码.</p><p>请点击这个链接 (一次性) <a href="%1$s">来输入新的密码</a></p>.',