Password confirmation for some actions #1447
Conversation
nickvergessen
added
2. developing
nickvergessen
force-pushed
the
password-confirmation-for-some-actions
branch
from
a8ae639 to
875af94
Compare
|
@nickvergessen What state is this? 2 or 3? |
|
Both, because @LukasReschke should already have a look at it, while I develop the rest 😛 |
nickvergessen
force-pushed
the
password-confirmation-for-some-actions
branch
from
55b717f to
616e840
Compare
|
@MorrisJobke can you have a look? Currently when you open the user management, then the settings section and toggle "show storage location" that doesn't work. For easier testing set down the confirmation time to 10 seconds instead of 30 minutes: diff --git a/core/js/js.js b/core/js/js.js
index e423b6e..89426cc 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1536,6 +1536,7 @@ OC.PasswordConfirmation = {
requiresPasswordConfirmation: function() {
var timeSinceLogin = moment.now() - nc_lastLogin * 1000;
+ return timeSinceLogin > 10 * 1000; // 30 minutes
return timeSinceLogin > 30 * 60 * 1000; // 30 minutes
},
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 981232f..7e385b9 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -147,7 +147,8 @@ class SecurityMiddleware extends Middleware {
if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
$lastConfirm = (int) $this->session->get('last-password-confirm');
- if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+ if ($lastConfirm < (time() - 10)) { // allow 15 seconds delay
+ //if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
throw new NotConfirmedException();
}
}
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index b9958be..35ac36c 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -29,7 +29,8 @@ OC_JSON::checkSubAdminUser();
OCP\JSON::callCheck();
$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
-if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+if ($lastConfirm < (time() - 10)) { // allow 15 seconds delay
+//if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
$l = \OC::$server->getL10N('core');
OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
exit();
diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php
index 5658a38..eb79ced 100644
--- a/settings/ajax/togglesubadmins.php
+++ b/settings/ajax/togglesubadmins.php
@@ -25,7 +25,8 @@ OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
-if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+if ($lastConfirm < (time() - 10)) { // allow 15 seconds delay
+//if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
$l = \OC::$server->getL10N('core');
OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
exit(); |
| $dataLocation = false; | ||
| } | ||
|
|
||
| $lastConfirmTimestamp = $user->getLastLogin(); | ||
| $sessionTime = \OC::$server->getSession()->get('last-password-confirm'); |
There was a problem hiding this comment.
This is kinda often used and seems error-prone. Maybe let's add that to OCP\IUser as new method? isSudoMode() : bool or so?
There was a problem hiding this comment.
Would introduce a new dependency on ISession in the User class though. Anyhow, I think we should abstract that away in some other class. Also it's own helper class is fine in the OC\Security namespace.
There was a problem hiding this comment.
Well it's used 3 times and in legacy code (ajax endpoints which don't use controller).
Once the legacy is gone, only the annotation is used, so I think the 3 appearances are fine.
nickvergessen
force-pushed
the
password-confirmation-for-some-actions
branch
from
739cbe1 to
4526f3c
Compare
|
@MorrisJobke I fail to get the quota and the email thing covered, can you try it? |
|
|
nickvergessen
force-pushed
the
password-confirmation-for-some-actions
branch
from
91ba596 to
00da391
Compare
Current coverage is 57.97% (diff: 13.00%)@@ master #1447 diff @@
==========================================
Files 1169 1170 +1
Lines 70226 71253 +1027
Methods 7178 7374 +196
Messages 0 0
Branches 1205 1237 +32
==========================================
+ Hits 40433 41309 +876
- Misses 29793 29944 +151
Partials 0 0
|
|
Should be ready to review now, only thing left is that you can't submit with enter, but @ChristophWurst will take care of that soon. |
nickvergessen
added
3. to review
rullzer
force-pushed
the
password-confirmation-for-some-actions
branch
from
81fb5b7 to
4118be3
Compare
|
|
Please use the modal we use everywhere else. This doesn’t work on mobile at all, and we don’t need a second implementation to maintain & style. ;) |
| @@ -22,7 +22,6 @@ | |||
| .oc-dialog-buttonrow { | |||
| display: block; | |||
| background: transparent; | |||
| position: absolute; | |||
There was a problem hiding this comment.
@jancborchardt this was required because the password field was not clickable since the button row was overlaying it. Maybe you can have a look at the design a bit.
There was a problem hiding this comment.
Eeeh this will mess with other dialogs like the move dialog. 👎
Will need to check it out
|
@nickvergessen conflicts 🙈 |
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Joas Schilling <coding@schilljs.com>
LukasReschke
force-pushed
the
password-confirmation-for-some-actions
branch
from
7bcea46 to
8d33d76
Compare
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
MorrisJobke
force-pushed
the
password-confirmation-for-some-actions
branch
from
e3f99b6 to
8ef356a
Compare
* properly handle user management actions like display name, email or password field change Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
Tested and works 👍 |
MorrisJobke
added
4. to release
| }, | ||
|
|
||
| requiresPasswordConfirmation: function() { | ||
| var timeSinceLogin = moment.now() - nc_lastLogin * 1000; | ||
| return timeSinceLogin > 10 * 1000; // 30 minutes |
There was a problem hiding this comment.
liar 🙈
FF reports "unreachable code after return statement" on master
when performing certain actions, we want to make sure, that the user is actually the user.
Therefor we require a password confirmation, e.g. when changing the email address.
ToDo
Enterkey@LukasReschke @MorrisJobke