Bug #14829

Now it isn't anymore possible to change his password through the login
form. This feature has been removed for security reasons.
To change his password, the user has either to reset it in the login form
(if this feature is enabled) or to change it in his profile page once
signed in Silverpeas.

When reseting his password with an invalid login id, the same message is
given than with a valid login id. So nobody cannot know if a user with
such a login id exists or not.

Author: mmoqui

core-api/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

@@ -22,9 +22,6 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-# Allow user to change his password from login page
-changePwdFromLoginPageActive = false
-
 # By default login answer to personal question is not crypted
 loginAnswerEncrypted = false
 

core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail.properties

@@ -27,11 +27,9 @@ newPassword.subject=Confirmation of password reset
 error.subject=Password reset (error)
 admin.subject=Password reset (request)
 
-screen.title.changeRequested = Change your password
 screen.title.reinitRequested = Reset your password
 screen.title.reinitDone = Password reset
-screen.invalidLogin = There is no account for this login. <br/> Please check it...
-screen.reinitRequested = An email has been sent to the email address associated with your account. This message explains how to get a new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder.
+screen.reinitRequested=An email has been sent to the email address associated with your account if this one exists. The message will explain you how to get a new password. <br/> Some time may be required prior to receiving the message. Remember to verify the message has not gone into your spam folder. <br /> <br /> If after a while you didn't receive any email, either your login is invalid or the your password change isn't allowed (in this case, contact your administrator).
 screen.reinitNotAllowed = Resetting your password is not allowed. <br/> Please contact your administrator ...
 screen.reinitDone = An email has been sent to the email address associated with your account. This message contains your new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder.
 screen.reinitError = Resetting your password failed. <br/> Please contact your administrator ...

core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail_fr.properties

@@ -27,11 +27,9 @@ newPassword.subject=Confirmation de r\u00e9initialisation de mot de passe
 error.subject=R\u00e9initialisation de mot de passe (erreur)
 admin.subject=R\u00e9initialisation de mot de passe (demande)
 
-screen.title.changeRequested = Changer votre mot de passe
 screen.title.reinitRequested = R\u00e9initialisation de votre mot de passe
 screen.title.reinitDone = Mot de passe r\u00e9initialis\u00e9
-screen.invalidLogin = Il n'existe aucun compte pour cet identifiant.<br/>Veuillez v\u00e9rifier votre identifiant...
-screen.reinitRequested = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message explique comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables.
+screen.reinitRequested=Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse email associ\u00e9e \u00e0 de votre compte si celui-ci existe. Le message vous expliquera comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables. <br /> <br /> Si apr\u00e8s un certain temps vous n'avez toujours pas re\u00e7u de mail, soit votre identifiant est invalide, soit la modification de votre mot de passe n'est permise (auquel cas, contactez votre administrateur).
 screen.reinitNotAllowed = La r\u00e9initialisation de votre mot de passe n'est pas autoris\u00e9.<br/>Veuillez contacter votre administrateur...
 screen.reinitDone = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message contient votre nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables.
 screen.reinitError = La r\u00e9initialisation de votre mot de passe a \u00e9chou\u00e9.<br/>Veuillez contacter votre administrateur...

core-configuration/src/main/config/properties/org/silverpeas/authentication/settings/authenticationSettings.properties

@@ -21,8 +21,6 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
-# Allow user to change his password from login page
-changePwdFromLoginPageActive = false
 
 # By default, login answer to personal question is not encrypted
 loginAnswerEncrypted = false

core-library/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
 loginQuestion.2=Quelle est votre ville de naissance ?
 loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
 
-forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
 forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
 forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
 forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-library/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

@@ -22,9 +22,6 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-# Allow user to change his password from login page
-changePwdFromLoginPageActive = false
-
 # By default login answer to personal question is not crypted
 loginAnswerEncrypted = false
 

core-library/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
 loginQuestion.2=Quelle est votre ville de naissance ?
 loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
 
-forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
 forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
 forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
 forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/chat/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ?
 loginQuestion.2=Quelle est votre ville de naissance ?
 loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ?
 
-forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
 forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
 forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
 forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/chat/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ?
 loginQuestion.2=Quelle est votre ville de naissance ?
 loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ?
 
-forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
 forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
 forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
 forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/workflow/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
 loginQuestion.2=Quelle est votre ville de naissance ?
 loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
 
-forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
 forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
 forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
 forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-test/src/main/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

@@ -21,8 +21,6 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
-# Allow user to change his password from login page
-changePwdFromLoginPageActive = false
 
 # By default login answer to personal question is not encrypted
 loginAnswerEncrypted = false

core-war/src/main/webapp/defaultLogin.jsp

@@ -112,16 +112,6 @@
       }
     }
 
-    function changePassword() {
-      let form = document.getElementById("formLogin");
-      if (form.elements["Login"].value.length === 0) {
-        alert('<fmt:message key="authentication.logon.loginMissing" />');
-      } else {
-        form.action = '<c:url value="/CredentialsServlet/ChangePasswordFromLogin" />';
-        form.submit();
-      }
-    }
-
     function newRegistration() {
       let form = document.getElementById("formLogin");
       form.action = '<c:url value="/CredentialsServlet/NewRegistration" />';
@@ -246,7 +236,6 @@
           <a href="#" class="<%=submitClass%>" onclick="checkForm()"><span><span><fmt:message key="authentication.logon.login.button"/></span></span></a>
         </p>
 
-        <% if (forgottenPwdActive || changePwdFromLoginPageActive) { %>
         <% if (forgottenPwdActive) { %>
         <p>
           <span class="forgottenPwd">
@@ -256,24 +245,6 @@
             <a href="javascript:resetPassword()"><fmt:message key="authentication.logon.passwordReinit"/></a>
           <%} %>
           </span>
-            <% } %>
-
-            <% if (changePwdFromLoginPageActive) { %>
-            <% if (forgottenPwdActive) { %>
-          <span class="separator">|</span>
-          <span class="changePwd">
-            <% } else {%>
-
-        <p>
-          <span class="changePwd">
-          <% } %>
-          <a class="changePwd" href="javascript:changePassword()"><fmt:message key="authentication.logon.changePassword"/></a>
-          </span>
-          <% } %>
-
-          <% if (forgottenPwdActive || changePwdFromLoginPageActive) { %>
-        </p>
-        <% } %>
         <% } %>
       </div>
     </div>

core-war/src/main/webapp/defaultReInitPassword.jsp

@@ -37,11 +37,9 @@
 
   String action = request.getParameter("Action");
   String actionLabel = "";
-  String actionTitle = reinitPasswordBundle.getString((String) request.getAttribute("title"));
+  String actionTitle = reinitPasswordBundle.getString("screen.title.reinitRequested");
 
-  if ("InvalidLogin".equalsIgnoreCase(action)) {
-    actionLabel = reinitPasswordBundle.getString("screen.invalidLogin");
-  } else if ("FirstMailSended".equalsIgnoreCase(action)) {
+  if ("FirstMailSended".equalsIgnoreCase(action)) {
     actionLabel = reinitPasswordBundle.getString("screen.reinitRequested");
   } else if ("ChangeNotAllowed".equalsIgnoreCase(action)) {
     actionLabel = reinitPasswordBundle.getString("screen.reinitNotAllowed");

core-war/src/main/webapp/headLog.jsp

@@ -69,8 +69,6 @@
 // Is "forgotten password" feature active ?
   String pwdResetBehavior = general.getString("forgottenPwdActive", "reinit");
   boolean forgottenPwdActive = !"false".equalsIgnoreCase(pwdResetBehavior);
-  boolean changePwdFromLoginPageActive =
-      authenticationSettings.getBoolean("changePwdFromLoginPageActive", false);
   boolean newRegistrationActive = registrationSettings.isUserSelfRegistrationEnabled();
   boolean virtualKeyboardActive = ResourceLocator.getGeneralSettingBundle().getBoolean("web.tool.virtualKeyboard", false);
 

core-web-test/src/main/resources/org/silverpeas/lookAndFeel/generalLook.properties

@@ -21,41 +21,41 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
-// Page de login par d\ufffdfaut
+# Page de login par d\ufffdfaut
 loginPage =
 
-// Feuille de style par d\ufffdfaut
+# Feuille de style par d\ufffdfaut
 defaultStyleSheet =
 
-// Feuille de style sp\ufffdcifique au login
+# Feuille de style sp\ufffdcifique au login
 defaultLoginStyleSheet =
 
-// Les logos (login et topBar)
+# Les logos (login et topBar)
 logo =
 
-// Id de l'utilisateur anonyme
+# Id de l'utilisateur anonyme
 anonymousId=
 
-// Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false)
+# Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false)
 forgottenPwdActive = reinit
 userResetPasswordPage = /defaultResetPassword.jsp
 
-// Question personnelle (en cas d'oubli de mot de passe)
+# Question personnelle (en cas d'oubli de mot de passe)
 userLoginQuestionEnabled=true
 userLoginQuestionPage=/defaultLoginQuestion.jsp
 
-// Si l'utilisateur n'a pas encore rempli sa question personnelle,
-// on peut le forcer \ufffd la remplir
+# Si l'utilisateur n'a pas encore rempli sa question personnelle,
+# on peut le forcer \ufffd la remplir
 userLoginQuestionMandatory=true
 userLoginQuestionSelectionPage=/defaultLoginQuestionSelection.jsp
 
-// fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle :
-// si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois
-// on l'oblige \ufffd changer son mot de passe
+# fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle :
+# si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois
+# on l'oblige \ufffd changer son mot de passe
 userLoginForcePasswordChange=false
 userLoginForcePasswordChangePage=/defaultForcePasswordChange.jsp
 
-// Liste des questions personnelles propos\ufffdes
+# Liste des questions personnelles propos\ufffdes
 loginQuestion.count=3
 loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
 loginQuestion.2=Quelle est votre ville de naissance ?

core-web/src/main/java/org/silverpeas/core/web/authentication/credentials/ChangePasswordFromLoginHandler.java

@@ -44,13 +44,12 @@ public String getFunction() {
 
   @Override
   public String doAction(HttpServletRequest request) {
-    request.setAttribute("title", "screen.title.reinitRequested");
     LoginData loginData = fetchLoginData(request);
     if (loginData.isInvalid()) {
       // Login incorrect.
       request.setAttribute("login", loginData.getLoginId());
       request.setAttribute("domain", loginData.getDomainName());
-      return getGeneral().getString("forgottenPasswordChangeNotAllowed");
+      return getGeneral().getString("forgottenPasswordChangeAllowed");
     }
 
     ValidLoginData validLogin = (ValidLoginData) loginData;