Skip to content
This repository
Browse code

Improve ThinkUp's password policy

* Require new passwords to be at least 8 characters long and alphanumeric
Closes #999, closes #1072
  • Loading branch information...
commit 814c58217a16aea8b375356d2e9a49f38eb2adcd 1 parent d2e80db
Soon Van randomecho authored committed
42 tests/TestOfAccountConfigurationController.php
@@ -434,8 +434,8 @@ public function testAuthControlLoggedInChangePasswordNoCSRFToken() {
434 434 $this->simulateLogin('me@example.com', false, true);
435 435 $_POST['changepass'] = 'Change password';
436 436 $_POST['oldpass'] = 'oldpassword';
437   - $_POST['pass1'] = 'newpassword';
438   - $_POST['pass2'] = 'newpassword';
  437 + $_POST['pass1'] = 'newpassword1';
  438 + $_POST['pass2'] = 'newpassword1';
439 439
440 440 $controller = new AccountConfigurationController(true);
441 441 try {
@@ -451,8 +451,8 @@ public function testAuthControlLoggedInChangePasswordSuccess() {
451 451 $this->simulateLogin('me@example.com', false, true);
452 452 $_POST['changepass'] = 'Change password';
453 453 $_POST['oldpass'] = 'oldpassword';
454   - $_POST['pass1'] = 'newpassword';
455   - $_POST['pass2'] = 'newpassword';
  454 + $_POST['pass1'] = '123newpassword';
  455 + $_POST['pass2'] = '123newpassword';
456 456 $_GET['csrf_token'] = parent::CSRF_TOKEN;
457 457
458 458 $controller = new AccountConfigurationController(true);
@@ -593,7 +593,39 @@ public function testAuthControlLoggedInChangePasswordNewPwdTooShort() {
593 593 $this->assertEqual($owner->email, 'me@example.com');
594 594 $error_msgs = $v_mgr->getTemplateDataItem('error_msgs');
595 595 $this->assertEqual($error_msgs['password'],
596   - 'New password must be at least 5 characters. Your password has not been changed.');
  596 + 'Your new password must be at least 8 characters and contain both numbers and letters. '.
  597 + 'Your password has not been changed.');
  598 +
  599 + //not set: owners, body, success_msg, error_msg
  600 + $this->assertTrue(!$v_mgr->getTemplateDataItem('owners'));
  601 + $this->assertTrue(!$v_mgr->getTemplateDataItem('body'));
  602 + $this->assertTrue(!$v_mgr->getTemplateDataItem('success_msg'));
  603 + }
  604 +
  605 + public function testAuthControlLoggedInChangePasswordNewPwdNotAlphanumeric() {
  606 + $this->simulateLogin('me@example.com');
  607 + $_POST['changepass'] = 'Change password';
  608 + $_POST['oldpass'] = 'oldpassword';
  609 + $_POST['pass1'] = 'newpasscode';
  610 + $_POST['pass2'] = 'newpasscode';
  611 +
  612 + $controller = new AccountConfigurationController(true);
  613 + $results = $controller->go();
  614 +
  615 + //test if view variables were set correctly
  616 + $v_mgr = $controller->getViewManager();
  617 + $this->assertIsA($v_mgr->getTemplateDataItem('installed_plugins'), 'array');
  618 + $this->assertEqual(sizeof($v_mgr->getTemplateDataItem('installed_plugins')), 7);
  619 +
  620 + $owner = $v_mgr->getTemplateDataItem('owner');
  621 + $this->assertIsA($owner, 'Owner');
  622 + $this->assertTrue(!$owner->is_admin);
  623 + $this->assertEqual($owner->full_name, 'ThinkUp J. User');
  624 + $this->assertEqual($owner->email, 'me@example.com');
  625 + $error_msgs = $v_mgr->getTemplateDataItem('error_msgs');
  626 + $this->assertEqual($error_msgs['password'],
  627 + 'Your new password must be at least 8 characters and contain both numbers and letters. '.
  628 + 'Your password has not been changed.');
597 629
598 630 //not set: owners, body, success_msg, error_msg
599 631 $this->assertTrue(!$v_mgr->getTemplateDataItem('owners'));
72 tests/TestOfRegisterController.php
@@ -130,6 +130,54 @@ public function testMismatchedPasswords() {
130 130 $this->assertEqual($v_mgr->getTemplateDataItem('mail'), 'angie@example.com');
131 131 }
132 132
  133 + public function testPasswordPolicyTooShort() {
  134 + // make sure registration is on...
  135 + $bvalues = array('namespace' => OptionDAO::APP_OPTIONS, 'option_name' => 'is_registration_open',
  136 + 'option_value' => 'true');
  137 + $bdata = FixtureBuilder::build('options', $bvalues);
  138 +
  139 + $_POST['Submit'] = 'Register';
  140 + $_POST['full_name'] = "Angelina Jolie";
  141 + $_POST['email'] = 'angie@example.com';
  142 + $_POST['user_code'] = '123456';
  143 + $_POST['pass1'] = 'mypass';
  144 + $_POST['pass2'] = 'mypass';
  145 + $controller = new RegisterController(true);
  146 + $results = $controller->go();
  147 +
  148 + $v_mgr = $controller->getViewManager();
  149 + $this->assertEqual($v_mgr->getTemplateDataItem('controller_title'), 'Register');
  150 + $error_msgs = $v_mgr->getTemplateDataItem('error_msgs');
  151 + $this->assertEqual($error_msgs['password'], 'Password must be at least 8 characters and contain both numbers '.
  152 + 'and letters.');
  153 + $this->assertEqual($v_mgr->getTemplateDataItem('name'), 'Angelina Jolie');
  154 + $this->assertEqual($v_mgr->getTemplateDataItem('mail'), 'angie@example.com');
  155 + }
  156 +
  157 + public function testPasswordPolicyNotMixed() {
  158 + // make sure registration is on...
  159 + $bvalues = array('namespace' => OptionDAO::APP_OPTIONS, 'option_name' => 'is_registration_open',
  160 + 'option_value' => 'true');
  161 + $bdata = FixtureBuilder::build('options', $bvalues);
  162 +
  163 + $_POST['Submit'] = 'Register';
  164 + $_POST['full_name'] = "Angelina Jolie";
  165 + $_POST['email'] = 'angie@example.com';
  166 + $_POST['user_code'] = '123456';
  167 + $_POST['pass1'] = 'mypassnomix';
  168 + $_POST['pass2'] = 'mypassnomix';
  169 + $controller = new RegisterController(true);
  170 + $results = $controller->go();
  171 +
  172 + $v_mgr = $controller->getViewManager();
  173 + $this->assertEqual($v_mgr->getTemplateDataItem('controller_title'), 'Register');
  174 + $error_msgs = $v_mgr->getTemplateDataItem('error_msgs');
  175 + $this->assertEqual($error_msgs['password'], 'Password must be at least 8 characters and contain both numbers '.
  176 + 'and letters.');
  177 + $this->assertEqual($v_mgr->getTemplateDataItem('name'), 'Angelina Jolie');
  178 + $this->assertEqual($v_mgr->getTemplateDataItem('mail'), 'angie@example.com');
  179 + }
  180 +
133 181 public function testSuccessfulRegistration() {
134 182 $config = Config::getInstance();
135 183 $site_root_path = $config->getValue('site_root_path');
@@ -144,8 +192,8 @@ public function testSuccessfulRegistration() {
144 192 $_POST['full_name'] = "Angelina Jolie";
145 193 $_POST['email'] = 'angie@example.com';
146 194 $_POST['user_code'] = '123456';
147   - $_POST['pass1'] = 'mypass';
148   - $_POST['pass2'] = 'mypass';
  195 + $_POST['pass1'] = 'mypass123';
  196 + $_POST['pass2'] = 'mypass123';
149 197 $controller = new RegisterController(true);
150 198 $results = $controller->go();
151 199
@@ -183,8 +231,8 @@ public function testSuccessfulRegistrationWithSSL() {
183 231 $_POST['full_name'] = "Angelina Jolie";
184 232 $_POST['email'] = 'angie@example.com';
185 233 $_POST['user_code'] = '123456';
186   - $_POST['pass1'] = 'mypass';
187   - $_POST['pass2'] = 'mypass';
  234 + $_POST['pass1'] = 'mypass123';
  235 + $_POST['pass2'] = 'mypass123';
188 236 $controller = new RegisterController(true);
189 237 $results = $controller->go();
190 238
@@ -215,8 +263,8 @@ public function testSpaceInHostName() {
215 263 $_POST['full_name'] = "Angelina Jolie";
216 264 $_POST['email'] = 'angie@example.com';
217 265 $_POST['user_code'] = '123456';
218   - $_POST['pass1'] = 'mypass';
219   - $_POST['pass2'] = 'mypass';
  266 + $_POST['pass1'] = 'm1y2p3ass';
  267 + $_POST['pass2'] = 'm1y2p3ass';
220 268 $config = Config::getInstance();
221 269 $config->setValue('site_root_path', 'test url with spaces/');
222 270 $controller = new RegisterController(true);
@@ -238,8 +286,8 @@ public function testSlashesInHostName() {
238 286 $_POST['full_name'] = "Angelina Jolie";
239 287 $_POST['email'] = 'angie@example.com';
240 288 $_POST['user_code'] = '123456';
241   - $_POST['pass1'] = 'mypass';
242   - $_POST['pass2'] = 'mypass';
  289 + $_POST['pass1'] = '123mypass';
  290 + $_POST['pass2'] = '123mypass';
243 291 $config = Config::getInstance();
244 292 $config->setValue('site_root_path', 'test url with spaces/and/a few/slashes/too/');
245 293 $controller = new RegisterController(true);
@@ -267,8 +315,8 @@ public function testInviteUser() {
267 315 $_POST['full_name'] = "Angelina Jolie";
268 316 $_POST['email'] = 'angie@example.com';
269 317 $_POST['user_code'] = '123456';
270   - $_POST['pass1'] = 'mypass';
271   - $_POST['pass2'] = 'mypass';
  318 + $_POST['pass1'] = 'my123pass';
  319 + $_POST['pass2'] = 'my123pass';
272 320 $controller = new RegisterController(true);
273 321 $results = $controller->go();
274 322
@@ -303,8 +351,8 @@ public function testInviteExpiredCode() {
303 351 $_POST['Submit'] = 'Register';
304 352 $_POST['email'] = 'angie@example.com';
305 353 $_POST['user_code'] = '123456';
306   - $_POST['pass1'] = 'mypass';
307   - $_POST['pass2'] = 'mypass';
  354 + $_POST['pass1'] = 'my12pass3';
  355 + $_POST['pass2'] = 'my12pass3';
308 356 $controller = new RegisterController(true);
309 357 $results = $controller->go();
310 358
3  tests/WebTestOfChangePassword.php
@@ -136,6 +136,7 @@ public function testChangePasswordNewPasswordsNotLongEnough() {
136 136 $this->setField('pass1', 'dd');
137 137 $this->setField('pass2', 'dd');
138 138 $this->click('Change password');
139   - $this->assertText('New password must be at least 5 characters. Your password has not been changed.');
  139 + $this->assertText('Your new password must be at least 8 characters and contain both numbers and letters. '.
  140 + 'Your password has not been changed.');
140 141 }
141 142 }
8 tests/WebTestOfRegistration.php
@@ -62,8 +62,8 @@ public function testSuccessfulRegistration() {
62 62
63 63 $this->setFieldById('full_name', 'Test User');
64 64 $this->setFieldById('email', 'TestUser@example.com');
65   - $this->setFieldById('pass1', 'p4sswd');
66   - $this->setFieldById('pass2', 'p4sswd');
  65 + $this->setFieldById('pass1', 'p4sswd123');
  66 + $this->setFieldById('pass2', 'p4sswd123');
67 67 $this->setFieldById('user_code', '123456');
68 68 $this->clickSubmitById('login-save');
69 69
@@ -108,8 +108,8 @@ public function testValidInvitationCode() {
108 108
109 109 $this->setFieldById('full_name', 'Test User');
110 110 $this->setFieldById('email', 'TestUser@example.com');
111   - $this->setFieldById('pass1', 'p4sswd');
112   - $this->setFieldById('pass2', 'p4sswd');
  111 + $this->setFieldById('pass1', 'p4sswd123');
  112 + $this->setFieldById('pass2', 'p4sswd123');
113 113 $this->setFieldById('user_code', '123456');
114 114 $this->clickSubmitById('login-save');
115 115
6 webapp/_lib/controller/class.AccountConfigurationController.php
@@ -68,9 +68,9 @@ public function authControl() {
68 68 $this->addErrorMessage("Old password does not match or empty.", 'password');
69 69 } elseif ($_POST['pass1'] != $_POST['pass2']) {
70 70 $this->addErrorMessage("New passwords did not match. Your password has not been changed.", 'password');
71   - } elseif (strlen($_POST['pass1']) < 5) {
72   - $this->addErrorMessage("New password must be at least 5 characters. ".
73   - "Your password has not been changed.", 'password' );
  71 + } elseif (!preg_match("/(?=.{8,})(?=.*[a-zA-Z])(?=.*[0-9])/", $_POST['pass1'])) {
  72 + $this->addErrorMessage("Your new password must be at least 8 characters and contain both numbers ".
  73 + "and letters. Your password has not been changed.", 'password' );
74 74 } else {
75 75 // verify CSRF token
76 76 $this->validateCSRFToken();
5 webapp/_lib/controller/class.RegisterController.php
@@ -91,8 +91,9 @@ public function control(){
91 91 if (strcmp($_POST['pass1'], $_POST['pass2']) || empty($_POST['pass1'])) {
92 92 $this->addErrorMessage("Passwords do not match.", 'password');
93 93 $valid_input = false;
94   - } else if (strlen($_POST['pass1']) < 5) {
95   - $this->addErrorMessage("Password must be at least 5 characters.", 'password');
  94 + } else if (!preg_match("/(?=.{8,})(?=.*[a-zA-Z])(?=.*[0-9])/", $_POST['pass1'])) {
  95 + $this->addErrorMessage("Password must be at least 8 characters and contain both numbers ".
  96 + "and letters.", 'password');
96 97 $valid_input = false;
97 98 }
98 99
2  webapp/_lib/view/account.index.tpl
@@ -109,7 +109,7 @@
109 109 <div class="ui-state-highlight ui-corner-all" style="margin: 10px 0px 10px 0px; padding: .5em 0.7em;">
110 110 <p>
111 111 <span class="ui-icon ui-icon-info" style="float: left; margin:.3em 0.3em 0 0;"></span>
112   - Must be at least 5 characters.
  112 + 8 characters with numbers and letters.
113 113 </p>
114 114 </div>
115 115 </div>
2  webapp/_lib/view/session.register.tpl
@@ -56,7 +56,7 @@
56 56 <input name="pass1" type="password" id="pass1">
57 57 <small>
58 58 <br>
59   - At least 5 characters
  59 + At least 8 characters and a mix of numbers and letters.
60 60 </small>
61 61 </div>
62 62 </div>

0 comments on commit 814c582

Please sign in to comment.
Something went wrong with that request. Please try again.