Skip to content

Commit 0c52bd9

Browse files
committed
Bug #14829
Now it isn't anymore possible to change his password through the login form. This feature has been removed for security reasons. To change his password, the user has either to reset it in the login form (if this feature is enabled) or to change it in his profile page once signed in Silverpeas. When reseting his password with an invalid login id, the same message is given than with a valid login id. So nobody cannot know if a user with such a login id exists or not.
1 parent 1c6f5f3 commit 0c52bd9

File tree

17 files changed

+18
-126
lines changed

17 files changed

+18
-126
lines changed

core-api/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,6 @@
2222
# along with this program. If not, see <https://www.gnu.org/licenses/>.
2323
#
2424

25-
# Allow user to change his password from login page
26-
changePwdFromLoginPageActive = false
27-
2825
# By default login answer to personal question is not crypted
2926
loginAnswerEncrypted = false
3027

core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail.properties

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,9 @@ newPassword.subject=Confirmation of password reset
2727
error.subject=Password reset (error)
2828
admin.subject=Password reset (request)
2929

30-
screen.title.changeRequested = Change your password
3130
screen.title.reinitRequested = Reset your password
3231
screen.title.reinitDone = Password reset
33-
screen.invalidLogin = There is no account for this login. <br/> Please check it...
34-
screen.reinitRequested = An email has been sent to the email address associated with your account. This message explains how to get a new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder.
32+
screen.reinitRequested=An email has been sent to the email address associated with your account if this one exists. The message will explain you how to get a new password. <br/> Some time may be required prior to receiving the message. Remember to verify the message has not gone into your spam folder. <br /> <br /> If after a while you didn't receive any email, either your login is invalid or the your password change isn't allowed (in this case, contact your administrator).
3533
screen.reinitNotAllowed = Resetting your password is not allowed. <br/> Please contact your administrator ...
3634
screen.reinitDone = An email has been sent to the email address associated with your account. This message contains your new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder.
3735
screen.reinitError = Resetting your password failed. <br/> Please contact your administrator ...

core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail_fr.properties

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,9 @@ newPassword.subject=Confirmation de r\u00e9initialisation de mot de passe
2727
error.subject=R\u00e9initialisation de mot de passe (erreur)
2828
admin.subject=R\u00e9initialisation de mot de passe (demande)
2929

30-
screen.title.changeRequested = Changer votre mot de passe
3130
screen.title.reinitRequested = R\u00e9initialisation de votre mot de passe
3231
screen.title.reinitDone = Mot de passe r\u00e9initialis\u00e9
33-
screen.invalidLogin = Il n'existe aucun compte pour cet identifiant.<br/>Veuillez v\u00e9rifier votre identifiant...
34-
screen.reinitRequested = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message explique comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables.
32+
screen.reinitRequested=Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse email associ\u00e9e \u00e0 de votre compte si celui-ci existe. Le message vous expliquera comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables. <br /> <br /> Si apr\u00e8s un certain temps vous n'avez toujours pas re\u00e7u de mail, soit votre identifiant est invalide, soit la modification de votre mot de passe n'est permise (auquel cas, contactez votre administrateur).
3533
screen.reinitNotAllowed = La r\u00e9initialisation de votre mot de passe n'est pas autoris\u00e9.<br/>Veuillez contacter votre administrateur...
3634
screen.reinitDone = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message contient votre nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables.
3735
screen.reinitError = La r\u00e9initialisation de votre mot de passe a \u00e9chou\u00e9.<br/>Veuillez contacter votre administrateur...

core-configuration/src/main/config/properties/org/silverpeas/authentication/settings/authenticationSettings.properties

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,6 @@
2121
# You should have received a copy of the GNU Affero General Public License
2222
# along with this program. If not, see <https://www.gnu.org/licenses/>.
2323
#
24-
# Allow user to change his password from login page
25-
changePwdFromLoginPageActive = false
2624

2725
# By default, login answer to personal question is not encrypted
2826
loginAnswerEncrypted = false

core-library/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
6161
loginQuestion.2=Quelle est votre ville de naissance ?
6262
loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
6363

64-
forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
6564
forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
6665
forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
6766
forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-library/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,6 @@
2222
# along with this program. If not, see <https://www.gnu.org/licenses/>.
2323
#
2424

25-
# Allow user to change his password from login page
26-
changePwdFromLoginPageActive = false
27-
2825
# By default login answer to personal question is not crypted
2926
loginAnswerEncrypted = false
3027

core-library/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
6161
loginQuestion.2=Quelle est votre ville de naissance ?
6262
loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
6363

64-
forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
6564
forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
6665
forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
6766
forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/chat/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ?
7171
loginQuestion.2=Quelle est votre ville de naissance ?
7272
loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ?
7373

74-
forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
7574
forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
7675
forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
7776
forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/chat/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ?
7171
loginQuestion.2=Quelle est votre ville de naissance ?
7272
loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ?
7373

74-
forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
7574
forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
7675
forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
7776
forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-services/workflow/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
6161
loginQuestion.2=Quelle est votre ville de naissance ?
6262
loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ?
6363

64-
forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin
6564
forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended
6665
forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed
6766
forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended

core-test/src/main/resources/org/silverpeas/authentication/settings/authenticationSettings.properties

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,6 @@
2121
# You should have received a copy of the GNU Affero General Public License
2222
# along with this program. If not, see <https://www.gnu.org/licenses/>.
2323
#
24-
# Allow user to change his password from login page
25-
changePwdFromLoginPageActive = false
2624

2725
# By default login answer to personal question is not encrypted
2826
loginAnswerEncrypted = false

core-war/src/main/webapp/defaultLogin.jsp

Lines changed: 0 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -112,16 +112,6 @@
112112
}
113113
}
114114
115-
function changePassword() {
116-
let form = document.getElementById("formLogin");
117-
if (form.elements["Login"].value.length === 0) {
118-
alert('<fmt:message key="authentication.logon.loginMissing" />');
119-
} else {
120-
form.action = '<c:url value="/CredentialsServlet/ChangePasswordFromLogin" />';
121-
form.submit();
122-
}
123-
}
124-
125115
function newRegistration() {
126116
let form = document.getElementById("formLogin");
127117
form.action = '<c:url value="/CredentialsServlet/NewRegistration" />';
@@ -246,7 +236,6 @@
246236
<a href="#" class="<%=submitClass%>" onclick="checkForm()"><span><span><fmt:message key="authentication.logon.login.button"/></span></span></a>
247237
</p>
248238

249-
<% if (forgottenPwdActive || changePwdFromLoginPageActive) { %>
250239
<% if (forgottenPwdActive) { %>
251240
<p>
252241
<span class="forgottenPwd">
@@ -256,24 +245,6 @@
256245
<a href="javascript:resetPassword()"><fmt:message key="authentication.logon.passwordReinit"/></a>
257246
<%} %>
258247
</span>
259-
<% } %>
260-
261-
<% if (changePwdFromLoginPageActive) { %>
262-
<% if (forgottenPwdActive) { %>
263-
<span class="separator">|</span>
264-
<span class="changePwd">
265-
<% } else {%>
266-
267-
<p>
268-
<span class="changePwd">
269-
<% } %>
270-
<a class="changePwd" href="javascript:changePassword()"><fmt:message key="authentication.logon.changePassword"/></a>
271-
</span>
272-
<% } %>
273-
274-
<% if (forgottenPwdActive || changePwdFromLoginPageActive) { %>
275-
</p>
276-
<% } %>
277248
<% } %>
278249
</div>
279250
</div>

core-war/src/main/webapp/defaultReInitPassword.jsp

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,9 @@
3737
3838
String action = request.getParameter("Action");
3939
String actionLabel = "";
40-
String actionTitle = reinitPasswordBundle.getString((String) request.getAttribute("title"));
40+
String actionTitle = reinitPasswordBundle.getString("screen.title.reinitRequested");
4141
42-
if ("InvalidLogin".equalsIgnoreCase(action)) {
43-
actionLabel = reinitPasswordBundle.getString("screen.invalidLogin");
44-
} else if ("FirstMailSended".equalsIgnoreCase(action)) {
42+
if ("FirstMailSended".equalsIgnoreCase(action)) {
4543
actionLabel = reinitPasswordBundle.getString("screen.reinitRequested");
4644
} else if ("ChangeNotAllowed".equalsIgnoreCase(action)) {
4745
actionLabel = reinitPasswordBundle.getString("screen.reinitNotAllowed");

core-war/src/main/webapp/headLog.jsp

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,6 @@
6969
// Is "forgotten password" feature active ?
7070
String pwdResetBehavior = general.getString("forgottenPwdActive", "reinit");
7171
boolean forgottenPwdActive = !"false".equalsIgnoreCase(pwdResetBehavior);
72-
boolean changePwdFromLoginPageActive =
73-
authenticationSettings.getBoolean("changePwdFromLoginPageActive", false);
7472
boolean newRegistrationActive = registrationSettings.isUserSelfRegistrationEnabled();
7573
boolean virtualKeyboardActive = ResourceLocator.getGeneralSettingBundle().getBoolean("web.tool.virtualKeyboard", false);
7674

core-web-test/src/main/resources/org/silverpeas/lookAndFeel/generalLook.properties

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -21,41 +21,41 @@
2121
# You should have received a copy of the GNU Affero General Public License
2222
# along with this program. If not, see <https://www.gnu.org/licenses/>.
2323
#
24-
// Page de login par d\ufffdfaut
24+
# Page de login par d\ufffdfaut
2525
loginPage =
2626

27-
// Feuille de style par d\ufffdfaut
27+
# Feuille de style par d\ufffdfaut
2828
defaultStyleSheet =
2929

30-
// Feuille de style sp\ufffdcifique au login
30+
# Feuille de style sp\ufffdcifique au login
3131
defaultLoginStyleSheet =
3232

33-
// Les logos (login et topBar)
33+
# Les logos (login et topBar)
3434
logo =
3535

36-
// Id de l'utilisateur anonyme
36+
# Id de l'utilisateur anonyme
3737
anonymousId=
3838

39-
// Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false)
39+
# Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false)
4040
forgottenPwdActive = reinit
4141
userResetPasswordPage = /defaultResetPassword.jsp
4242

43-
// Question personnelle (en cas d'oubli de mot de passe)
43+
# Question personnelle (en cas d'oubli de mot de passe)
4444
userLoginQuestionEnabled=true
4545
userLoginQuestionPage=/defaultLoginQuestion.jsp
4646

47-
// Si l'utilisateur n'a pas encore rempli sa question personnelle,
48-
// on peut le forcer \ufffd la remplir
47+
# Si l'utilisateur n'a pas encore rempli sa question personnelle,
48+
# on peut le forcer \ufffd la remplir
4949
userLoginQuestionMandatory=true
5050
userLoginQuestionSelectionPage=/defaultLoginQuestionSelection.jsp
5151

52-
// fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle :
53-
// si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois
54-
// on l'oblige \ufffd changer son mot de passe
52+
# fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle :
53+
# si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois
54+
# on l'oblige \ufffd changer son mot de passe
5555
userLoginForcePasswordChange=false
5656
userLoginForcePasswordChangePage=/defaultForcePasswordChange.jsp
5757

58-
// Liste des questions personnelles propos\ufffdes
58+
# Liste des questions personnelles propos\ufffdes
5959
loginQuestion.count=3
6060
loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ?
6161
loginQuestion.2=Quelle est votre ville de naissance ?

core-web/src/main/java/org/silverpeas/core/web/authentication/credentials/ChangePasswordFromLoginHandler.java

Lines changed: 0 additions & 55 deletions
This file was deleted.

core-web/src/main/java/org/silverpeas/core/web/authentication/credentials/ForgotPasswordHandler.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,13 +44,12 @@ public String getFunction() {
4444

4545
@Override
4646
public String doAction(HttpServletRequest request) {
47-
request.setAttribute("title", "screen.title.reinitRequested");
4847
LoginData loginData = fetchLoginData(request);
4948
if (loginData.isInvalid()) {
5049
// Login incorrect.
5150
request.setAttribute("login", loginData.getLoginId());
5251
request.setAttribute("domain", loginData.getDomainName());
53-
return getGeneral().getString("forgottenPasswordChangeNotAllowed");
52+
return getGeneral().getString("forgottenPasswordChangeAllowed");
5453
}
5554

5655
ValidLoginData validLogin = (ValidLoginData) loginData;

0 commit comments

Comments
 (0)