Item12180: Make authentication prompts (more) consistent.

git-svn-id: http://svn.foswiki.org/trunk@16044 0b4bb1d4-4e5a-0410-9cc4-b2b747904278

core/lib/Foswiki/Configure/Checkers/ConfigureGUI/Modals/ChangePassword.pm

@@ -30,7 +30,7 @@ sub generateForm {
         removePermitted => (
             $query->auth_type()
               && Foswiki::Configure::UI::passwordState() eq 'OK'
-        ) ? 1 : 01
+        ) ? 1 : 0
     );
 
     # Template is parsed twice intentionally.  See MODAL.pm for why.

core/lib/Foswiki/Configure/Checkers/ConfigureGUI/Modals/Login.pm

@@ -21,6 +21,21 @@ sub generateForm {
     my $this = shift;
     my ( $keys, $query, $session, $template ) = @_;
 
+    if (   saveAuthorized($session)
+        || $badLSC
+        || $query->auth_type
+        || Foswiki::Configure::UI::passwordState() eq 'PASSWORD_NOT_SET' )
+    {
+# Immediate login - already authenticated (should be rare), or password not set.
+
+        refreshLoggedIn($session);
+        refreshSaveAuthorized($session);
+
+        my $e = $this->NOTE("Entering Configuration utility.");
+
+        return $e . $this->FB_MODAL( 'u', "$scriptName" );
+    }
+
     $template->renderButton;
     $template->renderFeedbackWindow;
 
@@ -45,7 +60,7 @@ sub processForm {
 
     my $e = '';
 
-    unless ( saveAuthorized($session) || $badLSC ) {
+    unless ( saveAuthorized($session) || $badLSC || $query->auth_type ) {
         ( my $ok, $e ) = $template->passwordRequiredForm( $query, '' );
 
         # On error, the template has updated displayStatus, which will cause

core/lib/Foswiki/Configure/Checkers/ConfigureGUI/Modals/SaveChanges.pm

@@ -30,26 +30,39 @@ sub generateForm {
 
     my $changesList = [];
     foreach my $key ( sortHashkeyList( keys %$updated ) ) {
-        my $valueString = join( ',', $query->param($key) ) || '';
+        next if ( $key =~ /^\{ConfigureGUI\}/ );
+        my $valueString;
+        my $type = $query->param("TYPEOF:$key") || 'UNKNOWN';
+        if ( $key =~ /password/i ) {
+            $valueString = '•' x 9;
+        }
+        elsif ( $type eq 'BOOLEAN' ) {
+            $valueString = $query->param($key) ? 1 : 0;
+        }
+        else {
+            $valueString = join( ',', $query->param($key) );
+        }
         push( @$changesList, { key => $key, value => $valueString } );
     }
     my @items = sortHashkeyList( keys %$updated ) if $modified;
 
+    my $passChanged = ( defined $cart->param('{Password}') ) ? 1 : 0;
+
     $template->addArgs(
         items         => \@items,
         changesList   => $changesList,
-        modifiedCount => $modified,
+        modifiedCount => $modified - $passChanged,
         user          => ( $query->remote_user() || $ENV{REMOTE_USER} ),
     );
     $template->addArgs(
         displayStatus => (
-            ( $cart->param('{Password}') || $modified )
+            ( $passChanged || $modified )
             ? $MESSAGE_TYPE->{OK}
             : $MESSAGE_TYPE->{NONE}
         ),
     );
 
-    $template->addArgs( changePassword => 1 ) if ( $cart->param('{Password}') );
+    $template->addArgs( changePassword => $passChanged );
     my $passwordProblem =
       ( $query->auth_type() || Foswiki::Configure::UI::passwordState() eq 'OK' )
       ? 0
@@ -126,7 +139,7 @@ sub processForm {
 
     undef $ui;
 
-    my $passChanged = $cart->param('{Password}') ? 1 : 0;
+    my $passChanged = ( defined $cart->param('{Password}') ) ? 1 : 0;
 
     Foswiki::Configure::Feedback::Cart->empty($session);
 
@@ -138,14 +151,25 @@ sub processForm {
 
     my $changesList = [];
     foreach my $key ( sortHashkeyList( keys %$updated ) ) {
-        my $valueString = join( ',', $query->param($key) );
+        next if ( $key =~ /^\{ConfigureGUI\}/ );
+        my $valueString;
+        my $type = $query->param("TYPEOF:$key") || 'UNKNOWN';
+        if ( $key =~ /password/i ) {
+            $valueString = '•' x 9;
+        }
+        elsif ( $type eq 'BOOLEAN' ) {
+            $valueString = $query->param($key) ? 1 : 0;
+        }
+        else {
+            $valueString = join( ',', $query->param($key) );
+        }
         push( @$changesList, { key => $key, value => $valueString } );
     }
     push @$changesList, { key => 'No configuration items changed', value => '' }
       unless (@$changesList);
 
     $template->addArgs(
-        modifiedCount   => $modified,
+        modifiedCount   => $modified - $passChanged,
         changesList     => $changesList,
         passwordChanged => $passChanged,
         fileUpdates     => $filesUpdated,

core/lib/Foswiki/Configure/Feedback.pm

@@ -50,7 +50,7 @@ feedback request has been received.
         # feedback tags along with the main UI, but has a small window
         # for while login screens are being produced.
 
-        if ( loggedIn($session) ) {
+        if ( loggedIn($session) || $badLSC || $query->auth_type ) {
             refreshLoggedIn($session);
 
             return;
@@ -73,6 +73,13 @@ feedback request has been received.
 
         my $ui = Foswiki::Configure::UI->new($value);
 
+        if ( Foswiki::Configure::UI::passwordState() eq 'PASSWORD_NOT_SET' ) {
+
+            # Main screen or modal function will complain, so we don't want to
+            # duplicate that here.
+            return;
+        }
+
         my $checker =
           Foswiki::Configure::UI::loadChecker(
             'ConfigureGUI::Modals::SessionTimeout', $ui );

core/lib/Foswiki/Configure/MainScreen.pm

@@ -31,22 +31,36 @@ sub _authenticateConfigure {
         return;
     }
 
+    # Not logged-in and not using browser authentication
+    #
+    # Password is required if set, advised on main screen if not.
+
+    # Messages:
+    #  0: Password set, must be entered
+    #     Reminds how to reset
+    #  1: Password not set, advise allow login
+    #     N.B. Not set with browser auth doesn't require login (see above)
+
+    my $passwordProblem =
+      ( Foswiki::Configure::UI::passwordState() eq 'OK' ) ? 0 : 1;
+
     require Foswiki::Configure::ModalTemplates;
 
     my ( $template, $templateArgs ) = Foswiki::Configure::ModalTemplates->new;
 
-    my $displayStatus = 0;
-    unless ( $cfg{Password} ) {
-        $displayStatus = 8;
-    }
-    $template->addArgs( displayStatus => $displayStatus, logoutdata(), );
+    $template->addArgs( passwordProblem => $passwordProblem, logoutdata(), );
 
     my $html =
         Foswiki::Configure::UI::getTemplateParser()->readTemplate('pagebegin')
       . $template->extractArgs('login')
       . Foswiki::Configure::UI::getTemplateParser()->readTemplate('pageend');
 
-    $template->renderAutoActivator( 'loginButton', 'Login', 1 );
+    if ($passwordProblem) {
+        $template->renderButton( 'loginButton', 'Login' );
+    }
+    else {
+        $template->renderAutoActivator( 'loginButton', 'Login', 1 );
+    }
     $template->renderFeedbackWindow( 'loginFeedback', 'Login' );
 
     $html = Foswiki::Configure::UI::getTemplateParser()

core/lib/Foswiki/Configure/templates/login.tmpl

@@ -1,33 +1,43 @@
 <#-- Template used for main screen login -->
 
-<h1>Please login</h1>
+<#if passwordProblem == 0>
+  <h1>Please login</h1>
 
-<div class='foswikiFormSteps'>
-  <div class='foswikiFormStep'>
-    <#if displayStatus == 0>
+  <div class='foswikiFormSteps'>
+    <div class='foswikiFormStep'>
       <h2>In order to proceed, Configure requires that you type your password.</h2>
       <#assign loginButtonLabel>Enter Password</#assign>
-    </#if>
-    <#if displayStatus == 8><#assign loginButtonLabel>Enter Configure</#assign></#if>
+
     ${loginButton}
     ${loginFeedback}
+    </div>
     <hr />
-<#if displayStatus == 0>
-  <div class='foswikiHelp'>Password forgotten? To reset your password, log in to the server and delete the <code>$Foswiki::cfg{Password} = '...';</code> line from <code>lib/LocalSite.cfg</code>. Then reload this page and create a new password.</div>
-</#if>
-<#if displayStatus == 8>
-  <div class='foswikiHelp'>No password is set.  You should set a password to protect your configuration as soon as you log in.
+    <div class='foswikiHelp'>Password forgotten? To reset your password, log in to the server and delete the <code>$Foswiki::cfg{Password} = '...';</code> line from <code>lib/LocalSite.cfg</code>. Then reload this page and create a new password.
+    </div>
+  </div>
+<#else>
+  <h1>Security notice</h1>
+
+  <div class='foswikiHelp'>You are not using browser (webserver) authentication to access configure, and you have not set a configure password.  To protect your wiki, we <strong>strongly</strong> recommend that you use at least one of these methods to secure your site. 
+<p> As a first step, you should set a configure password with the <strong>Change password</strong> button on the configure task ba as soon as you login.  You can remove it if you implement webserver authentication later.
   </div>
   <hr />
   <div class='foswikiNotification foswikiAlert'>
     <h3 style="margin-top:0;">Security tips</h3>
+    You can use a configure password as well as webserver authentication to protect configure, or either alone.  
+    <p>The configure password mechanism is provided as a component of your overall security strategy, and to assist you during initial setup of your wiki.  You should consider whether it is right for your site.  <p>Other components, including physical security of your system and webserver authentication can provide per-user control and accountability and more convenience.  For example, X.509 webserver authentication may eliminate the need for a password, while identifying each administrator automatically.  Any webserver-based authentication mechanism allows configure to log changes by username for audit and/or troubleshooting.
+    <p>We recommend that you use the stongest feasible method to protect your site:
     <ol>
       <li>Always use a strong password that can't be guessed easily.</li>
       <li>Always configure the web server so that Configure is only accessible to the people who should use it.</li>
-      <li>If you are running Foswiki on a public website, you can totally disable saving from Configure by making <code>lib/LocalSite.cfg</code> read-only once you are happy with your configuration.</li>
+      <li>Change your password frequently and do not share it</li>
+      <li> Consult documentation (or a security expert) to decide what is best for you.</li>
+      <li>If you are running Foswiki on a public website, you can totally disable saving from Configure by making <code>lib/LocalSite.cfg</code> read-only once you are happy with your configuration.  However, this will make keeping your configuration up-to-date less convenient.</li>
     </ol>
   </div>
+  <hr />
+  <#assign loginButtonLabel>Enter Configure</#assign>
+  ${loginButton}
+  ${loginFeedback}
 </#if>
-  </div>
-</div>
 <div style="display:none" id="{ConfigureGUI}{Unsaved}status"></div>

core/lib/Foswiki/Configure/templates/savechanges.tmpl

@@ -6,14 +6,19 @@
   <form method="post" action="${formAction}" enctype="multipart/form-data" name="SaveChanges">
     <input type="hidden" name="time" value="${time}"  />
 
-    <h2>You are about to update 
+    <h2>You are about to 
+        <#if modifiedCount gt 0> update </#if>
         <#if modifiedCount == 1>
 	  ${modifiedCount} setting
-	<#else>
+	</#if>
+        <#if modifiedCount gt 1>
 	  ${modifiedCount} settings
 	</#if>
-	<#if changePassword??>
-	     - and to change your password...
+	<#if changePassword gt 0 && modifiedCount gt 0>
+	     and change your password
+        </#if>
+        <#if changePassword gt 0 && modifiedCount == 0 >
+             change your password
         </#if>
     </h2>
     <#if changesList??>