Add admin config force_renew_password_at_first_login BT#18811

jmontoyaa · jmontoyaa · commit f06ca10afb17 · 2021-06-11T09:22:39.000+02:00
diff --git a/main/auth/reset.php b/main/auth/reset.php
@@ -1,9 +1,10 @@
 <?php
+
 /* For license terms, see /license.txt */
 
 require_once __DIR__.'/../inc/global.inc.php';
 
-$token = isset($_GET['token']) ? $_GET['token'] : '';
+$token = $_GET['token'] ?? '';
 
 if (!ctype_alnum($token)) {
     $token = '';
@@ -37,6 +38,7 @@
 
     /** @var \Chamilo\UserBundle\Entity\User $user */
     $user = UserManager::getManager()->findUserByConfirmationToken($token);
+
     if ($user) {
         if (!$user->isPasswordRequestNonExpired($ttl)) {
             Display::addFlash(Display::return_message(get_lang('LinkExpired')), 'warning');
@@ -54,6 +56,14 @@
         Database::getManager()->persist($user);
         Database::getManager()->flush();
 
+        if (api_get_configuration_value('force_renew_password_at_first_login')) {
+            $extraFieldValue = new ExtraFieldValue('user');
+            $value = $extraFieldValue->get_values_by_handler_and_field_variable($user->getId(), 'ask_new_password');
+            if (!empty($value) && isset($value['value']) && 1 === (int) $value['value']) {
+                $extraFieldValue->delete($value['id']);
+            }
+        }
+
         Display::addFlash(Display::return_message(get_lang('Updated')));
         header('Location: '.api_get_path(WEB_PATH));
         exit;
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
@@ -7319,4 +7319,32 @@ private static function getGravatar(
 
         return $url;
     }
+
+    public static function redirectToResetPassword($userId)
+    {
+        if (!api_get_configuration_value('force_renew_password_at_first_login')) {
+            return;
+        }
+
+        $askPassword = self::get_extra_user_data_by_field(
+            $userId,
+            'ask_new_password'
+        );
+
+        if (!empty($askPassword) && isset($askPassword['ask_new_password']) &&
+            1 === (int) $askPassword['ask_new_password']
+        ) {
+            $uniqueId = api_get_unique_id();
+            $userObj = api_get_user_entity($userId);
+
+            $userObj->setConfirmationToken($uniqueId);
+            $userObj->setPasswordRequestedAt(new \DateTime());
+
+            Database::getManager()->persist($userObj);
+            Database::getManager()->flush();
+
+            $url = api_get_path(WEB_CODE_PATH).'auth/reset.php?token='.$uniqueId;
+            api_location($url);
+        }
+    }
 }
diff --git a/main/inc/local.inc.php b/main/inc/local.inc.php
@@ -516,6 +516,7 @@
                                     if (is_array($my_url_list) &&
                                         in_array($current_access_url_id, $my_url_list)
                                     ) {
+                                        UserManager::redirectToResetPassword($uData['user_id']);
                                         ConditionalLogin::check_conditions($uData);
 
                                         $_user['user_id'] = $uData['user_id'];
@@ -536,9 +537,9 @@
                                         exit;
                                     }
                                 } else {
-                                    //Only admins of the "main" (first) Chamilo portal can login wherever they want
+                                    // Only admins of the "main" (first) Chamilo portal can login wherever they want
                                     if (in_array(1, $my_url_list)) {
-                                        //Check if this admin have the access_url_id = 1 which means the principal
+                                        // Check if this admin have the access_url_id = 1 which means the principal
                                         ConditionalLogin::check_conditions($uData);
                                         $_user['user_id'] = $uData['user_id'];
                                         $_user['status'] = $uData['status'];
@@ -548,6 +549,7 @@
                                     } else {
                                         //This means a secondary admin wants to login so we check as he's a normal user
                                         if (in_array($current_access_url_id, $my_url_list)) {
+                                            UserManager::redirectToResetPassword($uData['user_id']);
                                             $_user['user_id'] = $uData['user_id'];
                                             $_user['status'] = $uData['status'];
                                             Session::write('_user', $_user);
@@ -566,6 +568,7 @@
                                     }
                                 }
                             } else {
+                                UserManager::redirectToResetPassword($uData['user_id']);
                                 ConditionalLogin::check_conditions($uData);
                                 $_user['user_id'] = $uData['user_id'];
                                 $_user['status'] = $uData['status'];
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
@@ -1945,6 +1945,10 @@
 // Disable webservices.
 //$_configuration['disable_webservices'] = true;
 
+// Ask user to renew password at first login.
+// Requires a user checkbox extra field called "ask_new_password".
+//$_configuration['force_renew_password_at_first_login'] = true;
+
 // KEEP THIS AT THE END
 // -------- Custom DB changes
 // Add user activation by confirmation email
