The branch, 5.0/disable-password-option-for-authtoken has been created
at eada50f40613a7651bd1d315e091ee899e489fa5 (commit)
- Log -----------------------------------------------------------------
commit eada50f40613a7651bd1d315e091ee899e489fa5
Author: Aaron Trevena <ast@bestpractical.com>
Date: Wed Jun 24 10:00:30 2020 +0100
Add config option to disable password for auth tokens
Added and documented new configuration option to not require a password
when adding a new auth token, this solves problems with requiring a password
in a hybrid RT where both external and local accounts are used.
diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..b2aa8d51f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm :
+
+ Set($DisablePasswordForAuthToken, 1);
+
+
You can find more information about tokens in L<RT::Authen::Token>.
=head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index a7301b3436..4868ce1485 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1476,8 +1476,19 @@ fail to exist in an external service; this is so requestors who
are not in LDAP can still be created when they email in.
See L<RT::Authen::ExternalAuth> for details.
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm. You can find more information about tokens
+in L<RT::Authen::Token>.
+
=back
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+
=head2 Initialdata Formats
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 400dd5ac22..79e54f1ad1 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,12 @@ our %META;
Widget => '/Widgets/Form/Boolean',
},
+ DisablePasswordForAuthToken => {
+ Immutable => 1,
+ Widget => '/Widgets/Form/Boolean',
+ },
+
+
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ce7c78f679..b8bd1c52ac 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5001,15 +5001,20 @@ sub ProcessAuthToken {
if ( $args_ref->{Create} ) {
# Don't require password for systems with some form of federated auth
+ # or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+ my $require_password = 1;
+ if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+ }
if ( !length( $args_ref->{Description} ) ) {
push @results, loc("Description cannot be blank.");
}
- elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !length( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password.");
}
- elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password correctly.");
}
else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
<div class="modal-body">
<form method="POST">
<input type="hidden" name="Owner" value="<% $Owner %>">
-% if ( $res{'CanSet'} ){
+% if ( $require_password ){
<div class="form-row">
<div class="label col-4">
<&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
</div>
<%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+}
</%INIT>
<%ARGS>
-----------------------------------------------------------------------
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit
at eada50f40613a7651bd1d315e091ee899e489fa5 (commit)
- Log -----------------------------------------------------------------
commit eada50f40613a7651bd1d315e091ee899e489fa5
Author: Aaron Trevena <ast@bestpractical.com>
Date: Wed Jun 24 10:00:30 2020 +0100
Add config option to disable password for auth tokens
Added and documented new configuration option to not require a password
when adding a new auth token, this solves problems with requiring a password
in a hybrid RT where both external and local accounts are used.
diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..b2aa8d51f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm :
+
+ Set($DisablePasswordForAuthToken, 1);
+
+
You can find more information about tokens in L<RT::Authen::Token>.
=head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index a7301b3436..4868ce1485 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1476,8 +1476,19 @@ fail to exist in an external service; this is so requestors who
are not in LDAP can still be created when they email in.
See L<RT::Authen::ExternalAuth> for details.
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm. You can find more information about tokens
+in L<RT::Authen::Token>.
+
=back
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+
=head2 Initialdata Formats
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 400dd5ac22..79e54f1ad1 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,12 @@ our %META;
Widget => '/Widgets/Form/Boolean',
},
+ DisablePasswordForAuthToken => {
+ Immutable => 1,
+ Widget => '/Widgets/Form/Boolean',
+ },
+
+
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ce7c78f679..b8bd1c52ac 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5001,15 +5001,20 @@ sub ProcessAuthToken {
if ( $args_ref->{Create} ) {
# Don't require password for systems with some form of federated auth
+ # or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+ my $require_password = 1;
+ if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+ }
if ( !length( $args_ref->{Description} ) ) {
push @results, loc("Description cannot be blank.");
}
- elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !length( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password.");
}
- elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password correctly.");
}
else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
<div class="modal-body">
<form method="POST">
<input type="hidden" name="Owner" value="<% $Owner %>">
-% if ( $res{'CanSet'} ){
+% if ( $require_password ){
<div class="form-row">
<div class="label col-4">
<&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
</div>
<%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+}
</%INIT>
<%ARGS>
-----------------------------------------------------------------------
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit