[aur-dev] [PATCH] Show hint if password is empty during login
A user might have an empty password due to two reasons: * The user just created an account and needs to set an initial password. * The password has been reset by the administrator. In both cases, the user might be confused as to why the login does not work. Add a message that helps users debug the issue in both cases. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index aa4c70b..28f9f93 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -486,8 +486,16 @@ function try_login() { else { $login_error = "Error trying to generate session id."; } - } - else { + } elseif (passwd_is_empty($userID)) { + $login_error = __('Your password has been reset. ' . + 'If you just created a new account, please ' . + 'use the link from the confirmation email ' . + 'to set an initial password. Otherwise, ' . + 'please request a reset key on the %s' . + 'Password Reset%s page.', '<a href="' . + htmlspecialchars(get_uri('/passreset')) . '">', + '</a>'); + } else { $login_error = __("Bad username or password."); } } @@ -746,6 +754,27 @@ function valid_passwd($userID, $passwd) { } /** + * Determine if a user's password is empty + * + * @param string $uid The user ID to check for an empty password + * + * @return bool True if the user's password is empty, otherwise false + */ +function passwd_is_empty($uid) { + $dbh = DB::connect(); + + $q = "SELECT * FROM Users WHERE ID = " . $dbh->quote($uid) . " "; + $q .= "AND Passwd = " . $dbh->quote(''); + $result = $dbh->query($q); + + if ($result->fetchColumn()) { + return true; + } else { + return false; + } +} + +/** * Determine if the PGP key fingerprint is valid (must be 40 hexadecimal digits) * * @param string $fingerprint PGP fingerprint to check if valid -- 1.8.2.411.g65a544e
On Mon, Mar 25, 2013 at 02:19:21AM +0100, Lukas Fleischer wrote:
A user might have an empty password due to two reasons:
* The user just created an account and needs to set an initial password. * The password has been reset by the administrator.
In both cases, the user might be confused as to why the login does not work. Add a message that helps users debug the issue in both cases.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-)
Note that this already breaks the string freeze. I pushed an updated source file to Transifex. The freeze still ends on 2013-03-26.
[...]
On Mon, Mar 25, 2013 at 02:19:21AM +0100, Lukas Fleischer wrote:
A user might have an empty password due to two reasons:
* The user just created an account and needs to set an initial password. * The password has been reset by the administrator.
In both cases, the user might be confused as to why the login does not work. Add a message that helps users debug the issue in both cases.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-)
[...] + + $q = "SELECT * FROM Users WHERE ID = " . $dbh->quote($uid) . " ";
Also note that "SELECT *" should be converted into "SELECT COUNT(*)" for performance reasons. There are lots of other places where we currently use "SELECT *" to check the number of results -- I will take care of all these in a separate patch after 2.2.0 is released.
+ $q .= "AND Passwd = " . $dbh->quote(''); + $result = $dbh->query($q); + + if ($result->fetchColumn()) { + return true; + } else { + return false; + } +} + +/** * Determine if the PGP key fingerprint is valid (must be 40 hexadecimal digits) * * @param string $fingerprint PGP fingerprint to check if valid -- 1.8.2.411.g65a544e
participants (1)
-
Lukas Fleischer