Ability to set multiple locks on users, they will be stacked and applied one by one.

Author: cdujeu

core/src/core/src/pydio/Core/Model/UserInterface.php

@@ -95,7 +95,13 @@ public function setLock($lockAction);
     /**
      * @throws \Exception
      */
-    public function removeLock();
+    public function removeLock($lockAction);
+
+    /**
+     * @param $lockAction
+     * @return string|false
+     */
+    public function hasLockByName($lockAction);
 
     /**
      * @return string|false

core/src/core/src/pydio/Core/Services/AuthService.php

@@ -125,7 +125,7 @@ public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin
         }
 
 
-        if ($user->getLock() === "logout") {
+        if ($user->hasLockByName("logout")) {
             Logger::warning(__CLASS__, "Login failed", array("user" => InputFilter::sanitize($user_id, InputFilter::SANITIZE_EMAILCHARS), "error" => "Locked user"));
             throw new LoginException(-1);
         }

core/src/plugins/access.ajxp_conf/src/UsersManager.php

@@ -290,7 +290,7 @@ public function usersActions(ServerRequestInterface $requestInterface, ResponseI
                         $userMessage    = new UserMessage("Successfully set lock on user ($lockType)");
                         $responseInterface = $responseInterface->withBody(new SerializableResponseStream([$userMessage]));
                     } else {
-                        $userObject->removeLock();
+                        $userObject->removeLock($lockType);
                         $userMessage    = new UserMessage("Successfully unlocked user");
                         $responseInterface = $responseInterface->withBody(new SerializableResponseStream([$userMessage]));
                     }

core/src/plugins/action.disclaimer/DisclaimerProvider.php

@@ -65,7 +65,7 @@ public function toggleDisclaimer(ServerRequestInterface &$request, ResponseInter
 
         if ($httpVars["validate"] == "true") {
 
-            $u->removeLock();
+            $u->removeLock("validate_disclaimer");
             $u->save("superuser");
             AuthService::updateUser($u);
             $repo = SessionRepositoryMiddleware::switchUserToRepository($u, $request);
@@ -116,7 +116,7 @@ public function loadDisclaimer(ServerRequestInterface &$request, ResponseInterfa
      */
     public function updateSharedUser(ContextInterface $ctx, UserInterface $userObject){
         if($userObject->isHidden() && !$this->getContextualOption($ctx, "DISCLAIMER_ENABLE_SHARED")){
-            $userObject->removeLock();
+            $userObject->removeLock("validate_disclaimer");
             $userObject->getPersonalRole()->setParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", "yes", AJXP_REPO_SCOPE_SHARED);
             $userObject->save("superuser");
         }
@@ -131,6 +131,13 @@ public function updateSharedUser(ContextInterface $ctx, UserInterface $userObjec
      * @param UserInterface $userObject
      */
     public function updateSharedUserLogin(ContextInterface $ctx, UserInterface $userObject){
+        if(!$userObject->isHidden()){
+            $param = $userObject->getPersonalRole()->filterParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", AJXP_REPO_SCOPE_ALL, "no");
+            if($param === "no"){
+                $userObject->setLock("validate_disclaimer");
+                $userObject->save("superuser");
+            }
+        }
         if($userObject->isHidden() && $this->getContextualOption($ctx, "DISCLAIMER_ENABLE_SHARED")){
             $userObject->setLock("validate_disclaimer");
             $userObject->getPersonalRole()->setParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", "no", AJXP_REPO_SCOPE_SHARED);

core/src/plugins/authfront.duosecurity/DuoSecurityFrontend.php

@@ -114,7 +114,7 @@ public function postVerificationCode(\Psr\Http\Message\ServerRequestInterface $r
         $verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse);
 
         if ($verif != null && $verif == $u->getId()) {
-            $u->removeLock();
+            $u->removeLock("duo_show_iframe");
             $u->save("superuser");
             $u->recomputeMergedRole();
             AuthService::updateUser($u);

core/src/plugins/authfront.otp/OtpAuthFrontend.php

@@ -104,7 +104,10 @@ function tryToLogUser(ServerRequestInterface &$request, ResponseInterface &$resp
             $userid = InputFilter::sanitize($httpVars["userid"], InputFilter::SANITIZE_EMAILCHARS);
             $this->loadConfig(UsersService::getUserById($userid));
             // if there is no configuration for OTP, this means that this user don't have OTP
-            if ((empty($this->googleEnabled) && empty($this->google) && empty($this->googleLast) && empty($this->yubikey1) && empty($this->yubikey2))) {
+            if(empty($this->googleEnabled)){
+                return false;
+            }
+            if (empty($this->google) && empty($this->googleLast) && empty($this->yubikey1) && empty($this->yubikey2)) {
                 return false;
             }
 
@@ -224,7 +227,7 @@ public function getConfigurationCode(ServerRequestInterface $requestInterface, R
             $otp = $requestInterface->getParsedBody()["otp"];
             if($this->checkGooglePass($uObject->getId(), $otp, $this->google, $this->googleLast)){
                 $responseInterface = new JsonResponse(["RESULT" => "OK"]);
-                $uObject->removeLock();
+                $uObject->removeLock("otp_show_setup_screen");
                 $uObject->save("superuser");
             }else{
                 throw new PydioException($mess["authfront.otp.7"]);

core/src/plugins/core.auth/AbstractAuthDriver.php

@@ -90,8 +90,8 @@ public function switchAction(ServerRequestInterface $requestInterface, ResponseI
                 }
                 if (UsersService::checkPassword($userObject->getId(), $oldPass, false, $passSeed)) {
                     UsersService::updatePassword($userObject->getId(), $newPass);
-                    if ($userObject->getLock() == "pass_change") {
-                        $userObject->removeLock();
+                    if ($userObject->hasLockByName("pass_change")) {
+                        $userObject->removeLock("pass_change");
                         $userObject->save("superuser");
                     }
                 } else {

core/src/plugins/core.conf/AbstractUser.php

@@ -247,17 +247,31 @@ public function setProfile($profile)
      */
     public function setLock($lockAction)
     {
-        //$this->rights["ajxp.lock"] = $lockAction;
-        $this->personalRole->setParameterValue('core.conf', 'USER_LOCK_ACTION', $lockAction);
+        $sLock = $this->getLock();
+        $currentLocks = !empty($sLock) ? explode(",", $sLock) : [] ;
+        if(!in_array($lockAction, $currentLocks)){
+            array_unshift($currentLocks, $lockAction);
+        }
+        $locks = implode(",", $currentLocks);
+        $this->personalRole->setParameterValue('core.conf', 'USER_LOCK_ACTION', $locks);
         $this->recomputeMergedRole();
     }
 
-    public function removeLock()
+    /**
+     * @param $lockAction
+     * @throws \Exception
+     */
+    public function removeLock($lockAction)
     {
-        if(isSet($this->rights['ajxp.lock'])){
-            $this->rights["ajxp.lock"] = false;
+        $sLock = $this->getLock();
+        $currentLocks = !empty($sLock) ? explode(",", $sLock) : [] ;
+        $pos = array_search($lockAction, $currentLocks);
+        if($pos !== false){
+            unset($currentLocks[$pos]);
         }
-        $this->personalRole->setParameterValue('core.conf', 'USER_LOCK_ACTION', AJXP_VALUE_CLEAR);
+        $this->rights["ajxp.lock"] = !count($currentLocks) ? false: implode(",", $currentLocks);
+        $newValue = !count($currentLocks) ? AJXP_VALUE_CLEAR : implode(",", $currentLocks);
+        $this->personalRole->setParameterValue('core.conf', 'USER_LOCK_ACTION', $newValue);
         $this->recomputeMergedRole();
     }
 
@@ -266,13 +280,24 @@ public function removeLock()
      */
     public function getLock()
     {
-        if(AJXP_SERVER_DEBUG && $this->isAdmin() && $this->getGroupPath() == "/") return false;
+        if(AJXP_SERVER_DEBUG && $this->isAdmin() && $this->getGroupPath() === "/") return false;
         if (!empty($this->rights["ajxp.lock"])) {
             return $this->rights["ajxp.lock"];
         }
         return $this->mergedRole->filterParameterValue('core.conf', 'USER_LOCK_ACTION', AJXP_REPO_SCOPE_ALL, false);
     }
 
+    /**
+     * @param $lockAction
+     * @return string|false
+     */
+    public function hasLockByName($lockAction){
+        $sLock = $this->getLock();
+        $currentLocks = !empty($sLock) ? explode(",", $sLock) : [] ;
+        return array_search($lockAction, $currentLocks) !== false;
+    }
+
+
     /**
      * @return bool
      */

core/src/plugins/editor.ajxp_role/class.RoleEditor.js

@@ -364,8 +364,11 @@ Class.create("RoleEditor", AbstractEditor, {
                 });
                 modal.currentLightBoxModal.setStyle({display:'block'});
             }.bind(this));
-            var locked = this.roleData.USER.LOCK ? true : false;
-            var b1 = new Element("span", {className:'m-2'}).update((locked?MessageHash["ajxp_role_editor.27"]:MessageHash["ajxp_role_editor.26"]));
+            var locked = this.roleData.USER.LOCK || "";
+            var uLockedOut = locked.indexOf('logout') > 1;
+            var uLockedPass = locked.indexOf('pass_change') > 1;
+
+            var b1 = new Element("span", {className:'m-2'}).update((uLockedOut ?MessageHash["ajxp_role_editor.27"]:MessageHash["ajxp_role_editor.26"]));
             buttonPane.insert(b1);
             var userId = this.roleId.replace("AJXP_USR_/", "");
             b1.observe("click", function(){
@@ -374,16 +377,16 @@ Class.create("RoleEditor", AbstractEditor, {
                     get_action:"edit",
                     sub_action:"user_set_lock",
                     user_id : userId,
-                    lock : (locked?"false":"true")
+                    lock_type:"logout",
+                    lock : (uLockedOut?"false":"true")
                 });
-                if(!locked) conn.addParameter("lock_type", "logout");
                 conn.onComplete = function(transport){
-                    locked = !locked;
-                    b1.update((locked?MessageHash["ajxp_role_editor.27"]:MessageHash["ajxp_role_editor.26"]));
+                    uLockedOut = !uLockedOut;
+                    b1.update((uLockedOut?MessageHash["ajxp_role_editor.27"]:MessageHash["ajxp_role_editor.26"]));
                 }.bind(this);
                 conn.sendAsync();
             }.bind(this) );
-            var b2 = new Element("span", {className:'m-2'}).update(MessageHash["ajxp_role_editor.28"]);
+            var b2 = new Element("span", {className:'m-2'}).update(uLockedPass ? MessageHash["ajxp_role_editor.28b"]: MessageHash["ajxp_role_editor.28"]);
             buttonPane.insert(b2);
             var userId = this.roleId.replace("AJXP_USR_/", "");
             b2.observe("click", function(){
@@ -392,9 +395,13 @@ Class.create("RoleEditor", AbstractEditor, {
                     get_action:"edit",
                     sub_action:"user_set_lock",
                     user_id : userId,
-                    lock : "true",
+                    lock : uLockedPass ? "false" : "true",
                     lock_type : "pass_change"
                 });
+                conn.onComplete = function(transport){
+                    uLockedPass = !uLockedPass;
+                    b2.update((uLockedPass?MessageHash["ajxp_role_editor.28b"]:MessageHash["ajxp_role_editor.28"]));
+                }.bind(this);
                 conn.sendAsync();
             });
 

core/src/plugins/editor.ajxp_role/i18n/de.php

@@ -58,6 +58,7 @@
 "26" => "Benutzer sperren",
 "27" => "Benutzer aktivieren",
 "28" => "Passwortänderung erzwingen",
+"28b"=> "Cancel password change",
 "29" => "Geben Sie ein neues Passwort für den Benutzer ein",
 "30" => "Wiederholen",
 "31" => "Rollen-ID",

core/src/plugins/editor.ajxp_role/i18n/en.php

@@ -52,6 +52,7 @@
 "26" => "Lock out user",
 "27" => "Reactivate user",
 "28" => "Force password change",
+"28b"=> "Cancel password change",
 "29" => "Enter new password for this user",
 "30" => "Confirm",
 "31" => "Role ID",

core/src/plugins/editor.ajxp_role/i18n/fr.php

@@ -52,6 +52,7 @@
 "26" => "Exclure l'utilisateur",
 "27" => "Réactiver l'utilisateur",
 "28" => "Forcer une mise à jour du mot de passe",
+"28b"=> "Annuler la mise à jour forcée du mot de passe",
 "29" => "Entrez le nouveau mot de passe pour cet utilisateur",
 "30" => "Confirmez",
 "31" => "ID rôle",

core/src/plugins/editor.ajxp_role/i18n/it.php

@@ -52,6 +52,7 @@
 "26" => "Blocca Utente",
 "27" => "Riattiva Utente",
 "28" => "Forza cambio",
+"28b"=> "Cancel password change",
 "29" => "Inserisci la nuova password per questo utente",
 "30" => "Conferma",
 "31" => "ID Ruolo",

core/src/plugins/editor.ajxp_role/i18n/pt.php

@@ -52,6 +52,7 @@
 "26" => "Bloquear Utilizador",
 "27" => "Reactivar utilizador",
 "28" => "Forçar Mudança de Palavra-Chave",
+"28b"=> "Cancel password change",
 "29" => "Introduza uma nova Palavra-Chave para este utilizador",
 "30" => "Confirmar",
 "31" => "ID de Papel",

core/src/plugins/editor.ajxp_role/i18n/ru.php

@@ -52,6 +52,7 @@
 "26" => "Блокировка пользователя",
 "27" => "Переактивировать пользователя",
 "28" => "Принудительная смена пароля",
+"28b"=> "Cancel password change",
 "29" => "Введите новый пароль для этого пользователя",
 "30" => "Подтверждение",
 "31" => "ID роли",

core/src/plugins/gui.ajax/res/js/es6/Pydio.es6

@@ -178,8 +178,9 @@ class Pydio extends Observable{
             if(!repositoryObject){
                 if(this.user.lock){
                     this.Controller.loadActionsFromRegistry(this.getXmlRegistry());
+                    let lock = this.user.lock.split(",").shift();
                     window.setTimeout(function(){
-                        this.Controller.fireAction(this.user.lock);
+                        this.Controller.fireAction(lock);
                     }.bind(this), 50);
                     return;
                 }