Merge pull request #8662 from snipe/features/disallow_password_equal_to_username_etc

Fixed #8661 - Added feature to disallow password equal to username, email, etc
2025-03-05 20:52:15 -08:00 · 2020-11-02 21:09:31 -08:00 · 2020-11-02 21:09:31 -08:00 · a8f9f5239c
parent 33bda9b6d1 63bb2de4d4
commit a8f9f5239c
4 changed files with 61 additions and 2 deletions
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@ -156,6 +156,29 @@ class ProfileController extends Controller
            if (!Hash::check($request->input('current_password'), $user->password)) {
                $validator->errors()->add('current_password', trans('validation.hashed_pass'));
            }
+
+            // This checks to make sure that the user's password isn't the same as their username,
+            // email address, first name or last name (see https://github.com/snipe/snipe-it/issues/8661)
+            // While this is handled via SaveUserRequest form request in other places, we have to do this manually
+            // here because we don't have the username, etc form fields available in the profile password change
+            // form.
+
+            // There may be a more elegant way to do this in the future.
+
+            // First let's see if that option is enabled in the settings
+            if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields')) {
+                \Log::debug('disallow_same_pwd_as_user_fields is ON');
+                if (($request->input('password') == $user->username) ||
+                    ($request->input('password') == $user->email) ||
+                    ($request->input('password') == $user->first_name) ||
+                    ($request->input('password') == $user->last_name))
+                {
+                    $validator->errors()->add('password', trans('validation.disallow_same_pwd_as_user_fields'));
+                }
+            }
+
+
+
            
        });

--- a/app/Providers/ValidationServiceProvider.php
+++ b/app/Providers/ValidationServiceProvider.php
@ -91,6 +91,42 @@ class ValidationServiceProvider extends ServiceProvider
        });


+        // This ONLY works for create/update user forms, since the Update Profile Password form doesn't
+        // include any of these additional validator fields
+        Validator::extend('disallow_same_pwd_as_user_fields', function ($attribute, $value, $parameters, $validator) {
+            
+            $data = $validator->getData();
+
+            if (array_key_exists("username", $data)) {
+                if ($data['username'] == $data['password']) {
+                    return false;
+                }
+            }
+
+            if (array_key_exists("email", $data)) {
+                if ($data['email'] == $data['password']) {
+                    return false;
+                }
+            }
+
+            if (array_key_exists("first_name", $data)) {
+                if ($data['first_name'] == $data['password']) {
+                    return false;
+                }
+            }
+
+            if (array_key_exists("last_name", $data)) {
+                if ($data['last_name'] == $data['password']) {
+                    return false;
+                }
+            }
+
+
+           return true;
+
+
+        });
+
        Validator::extend('letters', function ($attribute, $value, $parameters) {
            return preg_match('/\pL/', $value);
        });
--- a/resources/lang/en/validation.php
+++ b/resources/lang/en/validation.php
@ -99,7 +99,7 @@ return array(
    'url'                  => 'The :attribute format is invalid.',
    "unique_undeleted"     => "The :attribute must be unique.",
    "import_field_empty"   => "The value of the Import Field shouldn't be empty",
-    "same_pwd_as_user_fields" => 'The password cannot be the same as the username, email address, or first or last name.',
+    "disallow_same_pwd_as_user_fields" => 'The password cannot be the same as the username, email address, or first or last name.',

    /*
    |--------------------------------------------------------------------------
--- a/resources/views/settings/security.blade.php
+++ b/resources/views/settings/security.blade.php
@ -99,7 +99,7 @@
                            </div>
                            <div class="col-md-9">

-                                {{ Form::checkbox("pwd_secure_complexity['same_pwd_as_user_fields']", 'same_pwd_as_user_fields', old('same_pwd_as_user_fields', strpos($setting->pwd_secure_complexity, 'same_pwd_as_user_fields')!==false), array('class' => 'minimal', 'aria-label'=>'pwd_secure_complexity')) }}
+                                {{ Form::checkbox("pwd_secure_complexity['disallow_same_pwd_as_user_fields']", 'disallow_same_pwd_as_user_fields', old('disallow_same_pwd_as_user_fields', strpos($setting->pwd_secure_complexity, 'disallow_same_pwd_as_user_fields')!==false), array('class' => 'minimal', 'aria-label'=>'pwd_secure_complexity')) }}
                                Password cannot be the same as first name, last name, email, or username<br>