AAIT#30302 'Wachtwoord vergeten' ook mogelijk zonder wachtwoord

svn path=/Website/trunk/; revision=24420
2015-03-12 10:01:04 +00:00
parent d5a3ceab1d
commit d582c383fb
5 changed files with 11 additions and 8 deletions
--- a/APPL/PRS/pchange.asp
+++ b/APPL/PRS/pchange.asp
@@ -144,9 +144,9 @@ IFACE.FORM_END();

 <%
      var buttons = [];
-      if (theUser == user_key || xfunc.canWrite("WEB_PRSSYS") || xfunc.canWrite("WEB_FACMGT"))
+      if (!isExpired && (theUser == user_key || xfunc.canWrite("WEB_PRSSYS") || xfunc.canWrite("WEB_FACMGT")))
        buttons.push({title: L("lcl_delete_sessions"), icon:"../Pictures/reject.png", action:"doClearSessions()"});
-      if (xfunc.canWrite("WEB_PRSSYS") || xfunc.canWrite("WEB_FACMGT"))
+      if (!isExpired && (xfunc.canWrite("WEB_PRSSYS") || xfunc.canWrite("WEB_FACMGT")))
        buttons.push({title: L("lcl_delete_password"), icon:"../Pictures/undo.png",   action:"doClearPassword()"});

      buttons.push({title: L("lcl_submit"), icon:"../Pictures/opslaan.png", action:"doOK()"});
--- a/APPL/PRS/pchange_reset.asp
+++ b/APPL/PRS/pchange_reset.asp
@@ -19,7 +19,7 @@ var ANONYMOUS_Allowed = 1; // nog heel even
 <!-- #include file="../Shared/common.inc" -->
 <!-- #include file="../Shared/login.inc" -->
 <%
-if (S("email_password") != 1)
+if (!S("email_password"))
    shared.simpel_page(L("lcl_no_auth"));

 protectQS.verify({ expire: 1 }); // tamper check. HMAC is *net* gezet door shorturl.asp dus 1 minuut is nog heel ruim
@@ -34,6 +34,9 @@ Oracle.Execute(sql);

 doLogin(user_key);

+if (!user.haspw() && S("email_password") == 1) // Welbeschouwd was de link toch al nooit gestuurd. Paranoia dus.
+    shared.simpel_page(L("lcl_no_auth"));
+
 Session("must_reset_password") = 1; // Alle schermen sturen je nu naar pchange.asp

 Response.Redirect(rooturl + "/appl/prs/pchange.asp?expired=1");
--- a/APPL/Shared/login.asp
+++ b/APPL/Shared/login.asp
@@ -106,7 +106,7 @@ checkUserAgent(); // heeft device capability bits gezet
    buttons = [ { title: L("lcl_logon"), action: "do_submit()" } ];
    if (S("fac_emailtoken_auth_expire") > 0 && device.test(device.isMobile))
      buttons.push ({ title: L("lcl_token2email"), action: "token2mail()" });
-    else if (S("email_password") == 1) {
+    else if (S("email_password") > 0) {
      buttons.push ({ title: L("lcl_password_to_email"), action: "passwrd2mail()" });
    }
    if (S("self_register") == 1) {
--- a/APPL/Shared/pass2mail.asp
+++ b/APPL/Shared/pass2mail.asp
@@ -32,7 +32,7 @@ ANONYMOUS_Allowed = 1;
 <%
 var mode = "A";

-if (S("email_password") != 1)
+if (!S("email_password"))
    shared.simpel_page(L("lcl_no_auth"));

 %>
--- a/APPL/Shared/pass2mail_save.asp
+++ b/APPL/Shared/pass2mail_save.asp
@@ -23,7 +23,7 @@ protectRequest.validateToken();

 var mode = getFParam("mode", "A");

-if ((mode == "A" && S("email_password") != 1) ||
+if ((mode == "A" && !S("email_password")) ||
    (mode == "B" && S("fac_emailtoken_auth_expire") == 0))
 {
    abort_with_warning(L("lcl_no_auth"));
@@ -36,7 +36,7 @@ var sql = "SELECT prs_perslid_key, prs_perslid_flags, prs_perslid_email"
        + " WHERE (UPPER(prs_perslid_email) = " + safe.quoted_sql_upper(emailOrLogin)
        + "        OR UPPER(prs_perslid_oslogin) = " + safe.quoted_sql_upper(emailOrLogin) + ")"
        + "   AND prs_perslid_oslogin IS NOT NULL";
-if (mode == "A")
+if (mode == "A" && S("email_password") != 2) // Bij setting 2 hoef je geen oud wachtwoord te hebben
    sql += "   AND prs_perslid_wachtwoord_hash IS NOT NULL";
 var oRs = Oracle.Execute(sql);

@@ -46,7 +46,7 @@ if (oRs.eof)
    // SILENCE! (e-mail harvesting) Response.Write(L("lcl_pass2emailunknown"));
    // Gewoon altijd dezelfde tekst
    result.warning = L("lcl_pass2emailsent") + emailOrLogin;
-    __DoLog("Wachtwoord vergeten, gebruiker niet gevonden: " + emailOrLogin);
+    __DoLog("Wachtwoord vergeten, gebruiker niet gevonden of had geen wachtwoord: " + emailOrLogin);
 }
 else if ((oRs("prs_perslid_flags").Value & 2) == 2)
    result.warning = L("lcl_self_register_unconfirmed");