From 3ca8af7fd8de419172f14ec0a179d807cbcaa305 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 4 Sep 2012 12:39:33 +0400 Subject: [PATCH] require entering password before enabling/disabling otp --- classes/auth/internal.php | 22 +++++--- classes/pref/prefs.php | 107 +++++++++++++++++++++++++++++++++++--- 2 files changed, 113 insertions(+), 16 deletions(-) diff --git a/classes/auth/internal.php b/classes/auth/internal.php index 214d7780..8993116c 100644 --- a/classes/auth/internal.php +++ b/classes/auth/internal.php @@ -120,7 +120,7 @@ class Auth_Internal extends Auth_Base { return false; } - function change_password($owner_uid, $old_password, $new_password) { + function check_password($owner_uid, $password) { $owner_uid = db_escape_string($owner_uid); $result = db_query($this->link, "SELECT salt,login FROM ttrss_users WHERE @@ -130,23 +130,29 @@ class Auth_Internal extends Auth_Base { $login = db_fetch_result($result, 0, "login"); if (!$salt) { - $old_password_hash1 = encrypt_password($old_password); - $old_password_hash2 = encrypt_password($old_password, $login); + $password_hash1 = encrypt_password($password); + $password_hash2 = encrypt_password($password, $login); $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND (pwd_hash = '$old_password_hash1' OR - pwd_hash = '$old_password_hash2')"; + id = '$owner_uid' AND (pwd_hash = '$password_hash1' OR + pwd_hash = '$password_hash2')"; } else { - $old_password_hash = encrypt_password($old_password, $salt, true); + $password_hash = encrypt_password($password, $salt, true); $query = "SELECT id FROM ttrss_users WHERE - id = '$owner_uid' AND pwd_hash = '$old_password_hash'"; + id = '$owner_uid' AND pwd_hash = '$password_hash'"; } $result = db_query($this->link, $query); - if (db_num_rows($result) == 1) { + return db_num_rows($result) != 0; + } + + function change_password($owner_uid, $old_password, $new_password) { + $owner_uid = db_escape_string($owner_uid); + + if ($this->check_password($owner_uid, $old_password)) { $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $new_password_hash = encrypt_password($new_password, $new_salt, true); diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 3e93ee4d..e9f42077 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -230,6 +230,10 @@ class Pref_Prefs extends Handler_Protected { } "; + if ($otp_enabled) { + print_notice("Changing your current password will disable OTP."); + } + print ""; print ""; @@ -260,7 +264,45 @@ class Pref_Prefs extends Handler_Protected { if ($otp_enabled) { - print "

".__("One time passwords are currently enabled. Change your current password and refresh this page to reconfigure.") . "

"; + print_notice("One time passwords are currently enabled. Enter your current password below to disable."); + + print ""; + + print ""; + + print "
".__("Old password")."
"; + + print ""; + + print ""; + + print "
".__("Enter your password")."
"; + + print ""; + print ""; + + print "

"; + + print ""; } else { @@ -275,7 +317,7 @@ class Pref_Prefs extends Handler_Protected { print "

"; print ""; - print ""; + print ""; print ""; + print ""; + + print ""; + + print ""; + + print ""; + print "
".__("Enter your password")."
"; + print " "; print ""; + print "
"; + + print "
"; + print "

"; + __("Enable OTP").""; print "

"; @@ -648,13 +709,43 @@ class Pref_Prefs extends Handler_Protected { } } - function changeotp() { - $enable_otp = $_REQUEST["enable_otp"]; + function otpenable() { + $password = db_escape_string($_REQUEST["password"]); + + $module_class = "auth_" . $_SESSION["auth_module"]; + $authenticator = new $module_class($this->link); + $enable_otp = $_REQUEST["enable_otp"] == "on"; + + if ($authenticator->check_password($_SESSION["uid"], $password)) { + + if ($enable_otp) { + db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE + id = " . $_SESSION["uid"]); + + print "OK"; + } + } else { + print "ERROR: ".__("Incorrect password"); + } - if ($enable_otp == "on") { - db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE + } + + function otpdisable() { + $password = db_escape_string($_REQUEST["password"]); + + $module_class = "auth_" . $_SESSION["auth_module"]; + $authenticator = new $module_class($this->link); + + if ($authenticator->check_password($_SESSION["uid"], $password)) { + + db_query($this->link, "UPDATE ttrss_users SET otp_enabled = false WHERE id = " . $_SESSION["uid"]); + + print "OK"; + } else { + print "ERROR: ".__("Incorrect password"); } + } } ?> -- 2.39.5