Commit 3b2d3d69 authored by Leigh Stoller's avatar Leigh Stoller

Merge branch 'mymaster'

parents a02f98b9 bf20fc16
......@@ -32,11 +32,7 @@ $page_title = "My Profiles";
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_user = CheckLoginOrRedirect();
SPITHEADER(1);
if (!ISADMIN()) {
......
......@@ -31,7 +31,7 @@ $page_title = "Approve User";
# Get current user in case we need an error message.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
$this_user = CheckLoginOrRedirect();
#
# Verify page arguments.
......
<?php
#
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
chdir("..");
include("defs.php3");
chdir("apt");
include("quickvm_sup.php");
$page_title = "Change Password";
RedirectSecure();
#
# Verify page arguments.
#
$optargs = OptionalPageArguments("user", PAGEARG_USER,
"key", PAGEARG_STRING,
"password1", PAGEARG_STRING,
"password2", PAGEARG_STRING,
"reset", PAGEARG_STRING);
#
# We use this page for both resetting a forgotten password, and for
# a logged in user to change their password. We use the "key" argument
# to tell us its a reset.
#
if (isset($key)) {
if (!isset($user)) {
SPITUSERERROR("Missing user argument");
return;
}
# Half the key in the URL.
$keyB = $key;
# We also need the other half of the key from the browser.
$keyA = (isset($_COOKIE[$TBAUTHCOOKIE]) ? $_COOKIE[$TBAUTHCOOKIE] : "");
# If the browser part is missing, direct user to answer
if ((isset($keyB) && $keyB != "") && (!isset($keyA) || $keyA == "")) {
SPITUSERERROR("Oops, not able to proceed!<br>".
"Please read this ".
"<a href='$WIKIDOCURL/kb69'>Knowledge Base Entry</a> ".
"to see what the likely cause is.", 1);
return;
}
if (!isset($keyA) || $keyA == "" || !preg_match("/^[\w]+$/", $keyA) ||
!isset($keyB) || $keyB == "" || !preg_match("/^[\w]+$/", $keyB)) {
SPITUSERERROR("Invalid keys in request");
return;
}
# The complete key.
$key = $keyA . $keyB;
if (!$user->chpasswd_key() || !$user->chpasswd_expires()) {
SPITUSERERROR("Why are you here?");
return;
}
if ($user->chpasswd_key() != $key) {
SPITUSERERROR("Invalid key in request.");
return;
}
if (time() > $user->chpasswd_expires()) {
SPITUSERERROR("Your key has expired. Please request a
<a href='forgotpswd.php'>new key</a>.");
return;
}
}
else {
#
# The user must be logged in.
#
$this_user = CheckLoginOrRedirect();
# Check for admin setting another users password.
if (!isset($user)) {
$user = $this_user;
}
elseif (!$this_user->SameUser($user) && !ISADMIN()) {
SPITUSERERROR("Not enough permission to reset password for user");
return;
}
}
function SPITFORM($password1, $password2, $errors)
{
global $keyB, $user;
$user_uid = $user->uid();
# XSS prevention.
$password1 = CleanString($password1);
$password2 = CleanString($password2);
# XSS prevention.
if ($errors) {
while (list ($key, $val) = each ($errors)) {
# Skip internal error, we want the html in those errors
# and we know it is safe.
if ($key == "error") {
continue;
}
$errors[$key] = CleanString($val);
}
}
$formatter = function($field, $html) use ($errors) {
$class = "form-group";
if ($errors && array_key_exists($field, $errors)) {
$class .= " has-error";
}
echo "<div class='$class'>\n";
echo " $html\n";
if ($errors && array_key_exists($field, $errors)) {
echo "<label class='control-label' for='inputError'>" .
$errors[$field] . "</label>\n";
}
echo "</div>\n";
};
SPITHEADER(1);
SPITNULLREQUIRE();
echo "<div class='row'>
<div class='col-lg-4 col-lg-offset-4
col-md-4 col-md-offset-4
col-sm-6 col-sm-offset-3
col-xs-10 col-xs-offset-1'>\n";
echo "<form id='quickvm_form' role='form'
method='post' action='changepswd.php?user=$user_uid'>\n";
echo "<div class='panel panel-default'>
<div class='panel-heading'>
<h3 class='panel-title'>
<center>Change Your Password</center></h3>
</div>
<div class='panel-body'>\n";
$formatter("password1",
"<input name='password1'
value='$password1'
class='form-control'
placeholder='Your new password'
autofocus type='password'>");
$formatter("password2",
"<input name='password2'
type='password'
value='$password2'
class='form-control'
placeholder='Confirm password'>");
echo "<center>
<button class='btn btn-primary'
type='submit' name='reset'>Reset Password</button><center>\n";
if (isset($keyB)) {
echo "<input type='hidden' name='key' value='$keyB'>\n";
}
echo " </div>\n";
echo "</div>\n";
echo "</form>\n";
echo "</div>\n";
echo "</div>\n";
SPITFOOTER();
}
#
# If not clicked, then put up a form.
#
if (! isset($reset)) {
SPITFORM("", "", null);
return;
}
$errors = array();
#
# Reset clicked. Verify a proper password.
#
if (!isset($password1) || $password1 == "") {
$errors["password1"] = "Missing Field";
}
if (!isset($password2) || $password2 == "") {
$errors["password2"] = "Missing Field";
}
if (!count($errors) && $password1 != $password2) {
$errors["password2"] = "Passwords do not match";
}
if (!count($errors) &&
! CHECKPASSWORD($user->uid(),
$password1, $user->name(), $user->email(), $checkerror)) {
$errors["password1"] = $checkerror;
}
if (count($errors)) {
SPITFORM($password1, $password2, $errors);
return;
}
$encoding = crypt("$password1");
$safe_encoding = escapeshellarg($encoding);
#
# Clear this for forgotten password.
#
if (isset($key)) {
setcookie($TBAUTHCOOKIE, "", 1, "/", $WWWHOST, $TBSECURECOOKIES);
}
# Header after cookie.
SPITHEADER(1);
SpitWaitModal("waitwait");
SPITREQUIRE("async");
echo "<script>ShowWaitModal('waitwait');</script>\n";
flush();
#
# Invoke backend to deal with this.
#
$target_uid = $user->uid();
if (!HASREALACCOUNT($target_uid)) {
$retval = SUEXEC("nobody", "nobody",
"webtbacct passwd $target_uid $safe_encoding",
SUEXEC_ACTION_CONTINUE);
}
else {
$retval = SUEXEC($target_uid, "nobody",
"webtbacct passwd $target_uid $safe_encoding",
SUEXEC_ACTION_CONTINUE);
}
echo "<script>HideWaitModal('waitwait');</script>\n";
flush();
if ($retval) {
SPITUSERERROR("Oops, error changing password");
}
else {
echo "Your password has been changed.\n";
}
SPITFOOTER();
?>
......@@ -31,7 +31,7 @@ $dblink = GetDBLink("sa");
#
# Get current user.
#
$this_user = CheckLogin($check_status);
$this_user = CheckLoginOrRedirect();
#
# Verify page arguments.
......
<?php
#
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
chdir("..");
include("defs.php3");
chdir("apt");
include("quickvm_sup.php");
$page_title = "Forgot Your Password";
RedirectSecure();
$this_user = CheckLogin($check_status);
if ($CHECKLOGIN_STATUS & CHECKLOGIN_LOGGEDIN) {
SPITUSERERROR("You are already logged in!");
}
#
# Verify page arguments.
#
$optargs = OptionalPageArguments("reset", PAGEARG_STRING,
"username", PAGEARG_STRING,
"email", PAGEARG_STRING,
"formfields", PAGEARG_ARRAY);
function SPITFORM($username, $email, $errors)
{
# XSS prevention.
$username = CleanString($username);
$email = CleanString($email);
# XSS prevention.
if ($errors) {
while (list ($key, $val) = each ($errors)) {
# Skip internal error, we want the html in those errors
# and we know it is safe.
if ($key == "error") {
continue;
}
$errors[$key] = CleanString($val);
}
}
$formatter = function($field, $html) use ($errors) {
$class = "form-group";
if ($errors && array_key_exists($field, $errors)) {
$class .= " has-error";
}
echo "<div class='$class'>\n";
echo " $html\n";
if ($errors && array_key_exists($field, $errors)) {
echo "<label class='control-label' for='inputError'>" .
$errors[$field] . "</label>\n";
}
echo "</div>\n";
};
SPITHEADER(1);
echo "<div class='row'>
<div class='col-lg-4 col-lg-offset-4
col-md-4 col-md-offset-4
col-sm-6 col-sm-offset-3
col-xs-10 col-xs-offset-1'>\n";
echo "<form id='quickvm_form' role='form'
method='post' action='forgotpswd.php'>\n";
echo "<div class='panel panel-default'>
<div class='panel-heading'>
<h3 class='panel-title'>
<center>Forgot Your Password?</center></h3>
</div>
<div class='panel-body'>\n";
$formatter("username",
"<input name='username'
value='$username'
class='form-control'
placeholder='What is your username?'
autofocus type='text'>");
$formatter("email",
"<input name='email'
type='text'
value='$email'
class='form-control'
placeholder='What is your email address?' type='text'>");
echo "<center>
<button class='btn btn-primary'
type='submit' name='reset'>Email Reset Link</button><center>\n";
echo " </div>\n";
echo "</div>\n";
echo "</form>\n";
echo "</div>\n";
echo "</div>\n";
SPITNULLREQUIRE();
SPITFOOTER();
}
#
# If not clicked, then put up a form.
#
if (!isset($reset)) {
SPITFORM(array(), null);
return;
}
$errors = array();
#
# Reset clicked. See if we find a user with the given email/phone. If not
# zap back to the form.
#
if (!isset($email) || $email == "" || !TBvalid_email($email)) {
$errors["email"] = "Missing or invalid email";
}
if (!isset($username) || $username == "" || !TBvalid_uid($username)) {
$errors["username"] = "Missing or invalid username";
}
if (count($errors)) {
SPITFORM($username, $email, $errors);
return;
}
if ($user = User::Lookup($username)) {
if ($user->weblogin_frozen()) {
$errors["username"] = "This account is frozen";
}
elseif ($user->email() != $email) {
$errors["email"] = "Wrong email address for user";
}
}
else {
$errors["username"] = "Invalid username";
}
if (count($errors)) {
SPITFORM($username, $email, $errors);
return;
}
$uid = $user->uid();
$uid_name = $user->name();
$uid_email = $user->email();
#
# Yep. Generate a random key and send the user an email message with a URL
# that will allow them to change their password.
#
$key = md5(uniqid(rand(),1));
$keyA = substr($key, 0, 16);
$keyB = substr($key, 16);
$user->SetChangePassword($key, "UNIX_TIMESTAMP(now())+(60*30)");
# Send half of the key to the browser and half in the email message.
setcookie($TBAUTHCOOKIE, $keyA, 0, "/", $WWWHOST, $TBSECURECOOKIES);
# It is okay to spit this now that we have sent the cookie.
SPITHEADER();
TBMAIL("$uid_name <$uid_email>",
"Password Reset requested by '$uid'",
"\n".
"Here is your password reset authorization URL. Click on this link\n".
"within the next 30 minutes, and you will be allowed to reset your\n".
"password. If the link expires, you can request a new one from the\n".
"web interface.\n".
"\n".
" ${APTBASE}/changepswd.php3?user=$uid&key=$keyB\n".
"\n".
"The request originated from IP: " . $_SERVER['REMOTE_ADDR'] . "\n".
"\n".
"Thanks!\n",
"From: $APTMAIL\n".
"Bcc: $TBMAIL_AUDIT\n".
"Errors-To: $TBMAIL_WWW");
echo "<br>
An email message has been sent to your account. In it you will find a
URL that will allow you to change your password. The link will <b>expire
in 30 minutes</b>. If the link does expire before you have a chance to
use it, simply come back and request a <a href='password.php3'>new one</a>.
\n";
SPITNULLREQUIRE();
SPITFOOTER();
?>
......@@ -30,7 +30,8 @@ include("quickvm_sup.php");
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
$this_user = CheckLoginOrRedirect();
$this_idx = $this_user->uid_idx();
#
# Verify page arguments.
......@@ -38,15 +39,6 @@ $this_user = CheckLogin($check_status);
$optargs = OptionalPageArguments("invite", PAGEARG_STRING,
"formfields", PAGEARG_ARRAY);
#
# The user must be logged in.
#
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_idx = $this_user->uid_idx();
#
# Spit the form
#
......
require(window.APT_OPTIONS.configObject,
['js/quickvm_sup'],
function (sup)
{
'use strict';
function initialize()
{
window.APT_OPTIONS.initialize(sup);
}
$('body').show();
$(document).ready(initialize);
});
......@@ -158,6 +158,10 @@ function SPITFORM($uid, $referrer, $error)
</div>
<div class='form-group'>
<div class='col-sm-offset-2 col-sm-10'>
<a class='btn btn-info btn-sm pull-left'
type='button' href='forgotpswd.php'
style='margin-right: 10px;'>
Forgot Password?</a>
<?php
if ($ISCLOUD) {
?>
......
......@@ -38,7 +38,8 @@ $notifyclone = 0;
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
$this_user = CheckLoginOrRedirect();
$this_idx = $this_user->uid_idx();
#
# Verify page arguments.
......@@ -50,15 +51,6 @@ $optargs = OptionalPageArguments("create", PAGEARG_STRING,
"finished", PAGEARG_BOOLEAN,
"formfields", PAGEARG_ARRAY);
#
# The user must be logged in.
#
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_idx = $this_user->uid_idx();
#
# Spit the form
#
......
......@@ -41,11 +41,8 @@ $optargs = OptionalPageArguments("target_user", PAGEARG_USER,
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_user = CheckLoginOrRedirect();
if (!isset($target_user)) {
$target_user = $this_user;
}
......
......@@ -37,11 +37,8 @@ $optargs = OptionalPageArguments("target_user", PAGEARG_USER,
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_user = CheckLoginOrRedirect();
if (!isset($target_user)) {
$target_user = $this_user;
}
......
......@@ -37,11 +37,8 @@ $reqargs = RequiredPageArguments("uuid", PAGEARG_STRING);
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_user = CheckLoginOrRedirect();
SPITHEADER(1);
$profile = Profile::Lookup($uuid);
......
......@@ -37,11 +37,8 @@ $reqargs = RequiredPageArguments("uuid", PAGEARG_STRING);
# Get current user.
#
RedirectSecure();
$this_user = CheckLogin($check_status);
if (!$this_user) {
RedirectLoginPage();
exit();
}
$this_user = CheckLoginOrRedirect();
SPITHEADER(1);
$profile = Profile::Lookup($uuid);
......
......@@ -98,7 +98,8 @@ $PAGEERROR_HANDLER = function($msg, $status_code = 0) {
die("");
};
function SPITHEADER($thinheader = 0)
$PAGEHEADER_FUNCTION = function($thinheader = 0, $ignore1 = NULL,
$ignore2 = NULL, $ignore3 = NULL)
{
global $TBMAINSITE, $APTTITLE, $FAVICON, $APTLOGO, $APTSTYLE, $ISAPT;
global $GOOGLEUA, $ISCLOUD;
......@@ -226,6 +227,7 @@ function SPITHEADER($thinheader = 0)
<li><a href='manage_profile.php'>Create Profile</a></li>
<li><a href='instantiate.php'>Start Experiment</a></li>
<li class='divider'></li>
<li><a href='changepswd.php'>Change Password</a></li>
<li><a href='logout.php'>Logout</a></li>";
if (ISADMIN()) {
echo " <li class='divider'></li>
......@@ -244,10 +246,17 @@ function SPITHEADER($thinheader = 0)
}
echo " <!-- Page content -->
<div class='container-fluid'>\n";
}
};
function SPITFOOTER()
function SPITHEADER($thinheader = 0,
$ignore1 = NULL, $ignore2 = NULL, $ignore3 = NULL)
{
global $PAGEHEADER_FUNCTION;
$PAGEHEADER_FUNCTION($thinheader, $ignore1, $ignore2, $ignore3);
}
$PAGEFOOTER_FUNCTION = function($ignored = NULL) {
global $ISAPT;
$groupname = ($ISAPT ? "apt-users" : "cloudlab-users");
......@@ -278,6 +287,13 @@ function SPITFOOTER()
</div>
<!-- Placed at the end of the document so the pages load faster -->
</body></html>\n";
};
function SPITFOOTER($ignored = null)
{
global $PAGEFOOTER_FUNCTION;
$PAGEFOOTER_FUNCTION($ignored);
}
function SPITUSERERROR($msg)
......@@ -306,11 +322,16 @@ function SPITAJAX_ERROR($code, $msg)
echo json_encode($results);
}
function SPITNULLREQUIRE()
function SPITREQUIRE($main)
{
echo "<script src='js/lib/jquery-2.0.3.min.js'></script>\n";
echo "<script src='js/lib/bootstrap.js'></script>\n";
echo "<script src='js/lib/require.js' data-main='js/null'></script>\n";
echo "<script src='js/lib/require.js' data-main='js/$main'></script>\n";
}
function SPITNULLREQUIRE()
{
SPITREQUIRE("main");
}
#
......@@ -504,6 +525,12 @@ function SpitWaitModal($id)
</div>
</div>
</div>\n";
?>
<script>
function ShowWaitModal(name) { $('#' + name).modal('show'); }
function HideWaitModal(name) { $('#' + name).modal('hide'); }
</script>
<?php
}
#
......@@ -656,4 +683,19 @@ function RedirectLoginPage()
}
#
# Check the login and redirect to login page.
#
function CheckLoginOrRedirect()
{
RedirectSecure();
$check_status = 0;
$this_user = CheckLogin($check_status);
if (! ($check_status & CHECKLOGIN_LOGGEDIN)) {
RedirectLoginPage();
}
return $this_user;
}
?>
......@@ -1149,8 +1149,8 @@ function FINISHSIDEBAR($nocontent = 0)
#
# Spit out a vanilla page header.
#
function PAGEHEADER($title, $view = NULL, $extra_headers = NULL,
$notice = NULL) {
$PAGEHEADER_FUNCTION = function($title, $view = NULL, $extra_headers = NULL,
$notice = NULL) {
global $login_status, $login_user;
global $TBBASE, $TBDOCBASE, $THISHOMEBASE;
global $BASEPATH, $drewheader, $autorefresh;
......@@ -1318,12 +1318,19 @@ function PAGEHEADER($title, $view = NULL, $extra_headers = NULL,
if (VIEWSET($view, 'show_topbar', "plab")) {
WRITEPLABTOPBAR();
}
};