Add flag to forbid passwd changes by user

Useful if the staff members administratively configure a static password that the user should never change.

Add flag to forbid passwd changes by user
Useful if the staff members administratively configure a static password that the user should never change.
c1f599f4 · Jared Hancock · 205e7185 · c1f599f4 · c1f599f4 · c1f599f4
Commit c1f599f4 authored 10 years ago by Jared Hancock
--- a/include/class.client.php
+++ b/include/class.client.php
@@ -306,12 +306,6 @@ class ClientAccount extends UserAccount {
        unset($_SESSION['_client']['reset-token']);
    }

-    function getInfo() {
-        $base = parent::getInfo();
-        $base['tz_offset'] = $this->timezone;
-        return $base;
-    }
-
    function update($vars, &$errors) {
        $rtoken = $_SESSION['_client']['reset-token'];
        if ($vars['passwd1'] || $vars['passwd2'] || $vars['cpasswd'] || $rtoken) {
@@ -362,7 +356,7 @@ class ClientAccount extends UserAccount {
            $info = array('password' => $vars['passwd1']);
            Signal::send('auth.pwchange', $this, $info);
            $this->cancelResetTokens();
-            $this->_clearStatus(self::PASSWD_RESET_REQUIRED);
+            $this->clearStatus(self::REQUIRE_PASSWD_RESET);
        }

        return $this->save();

--- a/include/class.user.php
+++ b/include/class.user.php
@@ -547,7 +547,8 @@ class UserAccount extends UserAccountModel {

    const CONFIRMED             = 0x0001;
    const LOCKED                = 0x0002;
-    const PASSWD_RESET_REQUIRED = 0x0004;
+    const REQUIRE_PASSWD_RESET  = 0x0004;
+    const FORBID_PASSWD_RESET   = 0x0008;

    protected function hasStatus($flag) {
        return 0 !== ($this->get('status') & $flag);
@@ -580,12 +581,16 @@ class UserAccount extends UserAccountModel {
    }

    function forcePasswdReset() {
-        $this->setStatus(self::PASSWD_RESET_REQUIRED);
+        $this->setStatus(self::REQUIRE_PASSWD_RESET);
        return $this->save();
    }

    function isPasswdResetForced() {
-        return $this->hasStatus(self::PASSWD_RESET_REQUIRED);
+        return $this->hasStatus(self::REQUIRE_PASSWD_RESET);
+    }
+
+    function isPasswdResetEnabled() {
+        return !$this->hasStatus(self::FORBID_PASSWD_RESET);
    }

    function hasPassword() {
@@ -737,15 +742,16 @@ class UserAccount extends UserAccountModel {
        }

        // Set flags
-        if ($vars['pwreset-flag'])
-            $this->setStatus(self::PASSWD_RESET_REQUIRED);
-        else
-            $this->clearStatus(self::PASSWD_RESET_REQUIRED);
-
-        if ($vars['locked-flag'])
-            $this->setStatus(self::LOCKED);
-        else
-            $this->clearStatus(self::LOCKED);
+        foreach (array(
+                'pwreset-flag'=>        self::REQUIRE_PASSWD_RESET,
+                'locked-flag'=>         self::LOCKED,
+                'forbid-pwchange-flag'=> self::FORBID_PASSWD_RESET
+        ) as $ck=>$flag) {
+            if ($vars[$ck])
+                $this->setStatus($flag);
+            else
+                $this->clearStatus($flag);
+        }

        return $this->save(true);
    }
@@ -794,7 +800,7 @@ class UserAccount extends UserAccountModel {
            $account->set('passwd', Password::hash($vars['passwd1']));
            $account->setStatus(self::CONFIRMED);
            if ($vars['pwreset-flag'])
-                $account->setStatus(self::PASSWD_RESET_REQUIRED);
+                $account->setStatus(self::REQUIRE_PASSWD_RESET);
        }

        $account->save(true);

--- a/include/client/profile.inc.php
+++ b/include/client/profile.inc.php
@@ -50,6 +50,7 @@ if ($acct = $thisclient->getAccount()) {
        <em>(Current Time: <strong><?php echo Format::date($cfg->getDateTimeFormat(),Misc::gmtime(),$info['tz_offset'],$info['dst']); ?></strong>)</em>
    </td>
 </tr>
+<?php if ($acct->isPasswdResetEnabled()) { ?>
 <tr>
    <td colspan=2">
        <div><hr><h3>Access Credentials</h3></div>
@@ -85,6 +86,7 @@ if ($acct = $thisclient->getAccount()) {
    </td>
 </tr>
 <?php } ?>
+<?php } ?>
 </table>
 <hr>
 <p style="text-align: center;">

--- a/include/staff/templates/user-account.tmpl.php
+++ b/include/staff/templates/user-account.tmpl.php
@@ -143,6 +143,9 @@ if ($info['error']) {
                   <div><input type="checkbox" name="pwreset-flag" value="1" <?php
                    echo $account->isPasswdResetForced() ?
                    'checked="checked"' : ''; ?>> Password Reset Required</div>
+                   <div><input type="checkbox" name="forbid-pwchange-flag" value="1" <?php
+                    echo !$account->isPasswdResetEnabled() ?
+                    'checked="checked"' : ''; ?>> User Cannot Change Password</div>
                </td>
            </tr>
        </tbody>

--- a/pwreset.php
+++ b/pwreset.php
@@ -19,6 +19,10 @@ if($_POST) {
                if (!$acct->hasPassword()) {
                    $banner = 'Unable to reset password. Contact your administrator';
                }
+                elseif (!$acct->isPasswdResetEnabled()) {
+                    $banner = 'Password reset is not enabled for your account. '
+                        .'Contact your administrator';
+                }
                elseif (!$acct->sendResetEmail()) {
                    $inc = 'pwreset.sent.php';
                }