[koha-commits] main Koha release repository branch master updated. v17.05.00-839-g9416fdc
Git repo owner
gitmaster at git.koha-community.org
Mon Oct 16 15:05:28 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 9416fdca36f98860fca285dcb77835a0d702f401 (commit)
via 9136c3dbf89aa824dcc7e848dcf2c7aeb41235f8 (commit)
via 3f9da34683d7f87570e73b5c401a1a0e4a8604ac (commit)
via f2a1b215dd27c6cb9ed1b45a0613886843c6ba7d (commit)
via ec4e666bc52b20089f3720d2e2d523fbdcfcf2eb (commit)
via ac50959dcf99739007907e8549ca22cdd0b97532 (commit)
via 7cc65af6ffdabbabe7ae3463f51096de375216ad (commit)
via 558a809144560198c7febac4998f49c56c45c844 (commit)
via a93fef4c71d405fb7548e7d2601320ed0512d27c (commit)
via e7a805691fdae884e6782c29e096ba2d476ef688 (commit)
from a82d54d4b4f5eb7aa7d45afc13dac0a80c86f9ce (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9416fdca36f98860fca285dcb77835a0d702f401
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Mon Oct 16 09:57:26 2017 -0300
Bug 18298: DBRev 17.06.00.016
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 9136c3dbf89aa824dcc7e848dcf2c7aeb41235f8
Author: Tomas Cohen Arazi <tomascohen at theke.io>
Date: Fri Oct 13 16:42:03 2017 -0300
Bug 18298: (QA followup) Use Koha.Preference on the template
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 3f9da34683d7f87570e73b5c401a1a0e4a8604ac
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Mar 16 23:03:20 2017 -0300
Bug 18298: Add server-side checks and refactor stuffs
Now that we have a check client-side, nothing prevents us from a smart guy to
bypass it and force an invalid password.
This patch adds two new subroutines to Koha::AuthUtils to check the
validity of passwords and generate a password server-side. It is used
only once (self-registration) but could be useful later.
Moreover the 3 different cases of password rejection (too leak, too
short, contains leading or trailing whitespaces) were not tested
everywhere. Now they are!
This patch makes things consistent everywhere and clean up some code.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit f2a1b215dd27c6cb9ed1b45a0613886843c6ba7d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Mar 16 23:02:13 2017 -0300
Bug 18298: minPasswordLength should not be used as the default password length
The length of the passwords generated for a patron should not be as long
as the value of minPasswordLength.
It is the minimum required size of a password, not the maximum!
So let's fix it to 8 if the minPasswordLength if < 8, that sounds
reasonable and less risky for patrons.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ec4e666bc52b20089f3720d2e2d523fbdcfcf2eb
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Mar 16 23:01:34 2017 -0300
Bug 18298: minPaswordLength should not be < 3
Indeed if RequireStrongPassword is set we need at least 3 characters to
match 1 upper, 1 lower and 1 digit.
We could make things more complicated to allow minPasswordLength < 3
but, really, 3 is already too low...
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ac50959dcf99739007907e8549ca22cdd0b97532
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Mar 16 23:00:28 2017 -0300
Bug 18298: Move password generation to template side
This patch removes a really ugly way to generate a password: the whole
template was sent and parsed to retrieve the "#defaultnewpassfield" node.
To avoid the password to be sent plain text it is certainly better to
generate it client-side.
The same kind of passwords will be generated: 0-9a-zA-Z
The while loop prevents to get an invalid generated password.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 7cc65af6ffdabbabe7ae3463f51096de375216ad
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Mar 16 22:59:51 2017 -0300
Bug 18298: Use the validate jQuery plugin
To validate password fields we need to use the validate jQuery plugin.
To make things reusable this patch adds a new include file
'password_check.inc' at the intranet and opac sides, it creates 3 new
validation methods:
- password_strong => make sure the passwords are strong enough according
to the values of the RequireStrongPassword and minPasswordLength prefs
- password_no_spaces => prevent passwords to be entered with leading or
trailing spaces
- password_match => make sure both password fields match
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 558a809144560198c7febac4998f49c56c45c844
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Mar 14 20:01:27 2017 -0300
Bug 18298: Enforce password complexity
This patchset prevents users to enter too leak password, controlled by
a new syspref RequireStrongPassword. If set the staff and patrons will have
to enter a strong password.
The strongness cannot be modified, it has been arbitrarily set (by the
author of this enhancement) to at least 1 lowercase, 1 uppercase and 1
digit. This can be inforce by increasing the value of the existing
minPasswordLength pref.
I decided to turn this feature on, it cannot hurt! For existing installs
it will have to be turned on manually.
Writing these patches I found a lot of inconsistencies all around the
password checks and decided to refactor everything to make things
consistent and more robust.
Now the password validity is check at only one place (subroutine
covered by tests).
Test plan:
We have several places where a password can be change/created:
a. Editing a patron (members/memberentry.pl)
b. Changing the password of a patron (members/member-password.pl)
c. Changing your own password at the opac (opac/opac-passwd.pl).
OpacPasswordChange needs to be set
d. Reseting your own password at the opac
(opac/opac-password-recovery.pl). OpacResetPassword needs to be set,
see "Forgot your password?" link when you are not logged in
e. Self registration feature, PatronSelfRegistration needs to be set.
You will also need to add 'password' to PatronSelfRegistrationBorrowerMandatoryField.
Note that '****' is considered by Koha internally that the password is
not changed (existing behavior).
To fully test this patch you will need to test the different
combinations of RequireStrongPassword and minPasswordLength.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit a93fef4c71d405fb7548e7d2601320ed0512d27c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Sep 27 13:55:30 2017 -0300
Bug 19373: CAS logout - Redirect to the previous page (Intranet)
Signed-off-by: Matthias Meusburger <matthias.meusburger at biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit e7a805691fdae884e6782c29e096ba2d476ef688
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Oct 11 12:15:01 2017 -0300
Bug 19373: Update tests
Signed-off-by: Matthias Meusburger <matthias.meusburger at biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 3 +
C4/Auth_with_cas.pm | 8 +-
Koha.pm | 2 +-
Koha/AuthUtils.pm | 48 +++++++++
installer/data/mysql/sysprefs.sql | 1 +
installer/data/mysql/updatedatabase.pl | 11 +++
.../prog/en/includes/password_check.inc | 25 +++++
.../prog/en/modules/admin/preferences/patrons.pref | 7 ++
.../prog/en/modules/members/member-password.tt | 104 ++++++++++++--------
.../prog/en/modules/members/memberentrygen.tt | 39 ++++++--
koha-tmpl/intranet-tmpl/prog/js/members.js | 14 ---
.../bootstrap/en/includes/password_check.inc | 25 +++++
.../bootstrap/en/modules/opac-memberentry.tt | 45 ++++++---
.../opac-tmpl/bootstrap/en/modules/opac-passwd.tt | 42 ++++++--
.../bootstrap/en/modules/opac-password-recovery.tt | 11 ++-
members/member-password.pl | 26 ++---
members/memberentry.pl | 16 ++-
opac/opac-memberentry.pl | 17 ++--
opac/opac-passwd.pl | 59 ++++++-----
opac/opac-password-recovery.pl | 58 +++++------
t/AuthUtils.t | 49 ++++++++-
t/db_dependent/Auth_with_cas.t | 3 +-
22 files changed, 428 insertions(+), 185 deletions(-)
create mode 100644 koha-tmpl/intranet-tmpl/prog/en/includes/password_check.inc
create mode 100644 koha-tmpl/opac-tmpl/bootstrap/en/includes/password_check.inc
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list