[TASK] ext:saltedpasswords: Remove isUsageEnabled for backend 75/23375/7
authorNicole Cordes <typo3@cordes.co>
Tue, 27 Aug 2013 18:16:41 +0000 (20:16 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Tue, 27 Aug 2013 20:27:37 +0000 (22:27 +0200)
Remove all calls on SaltedPasswordsUtility::isUsageEnabled('BE')
as backend is enabled by default. Besides remove all
ExtensionManagementUtility::isLoaded('saltedpasswords') as
extension is loaded by default.

Change-Id: Ie2332fc3c6c454888afc8c9956b9869309623584
Resolves: #51356
Releases: 6.2
Reviewed-on: https://review.typo3.org/23375
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
typo3/sysext/install/Classes/Controller/Action/Tool/ImportantActions.php
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/reports/locallang.xlf
typo3/sysext/saltedpasswords/Documentation/DevelopersGuide/Index.rst
typo3/sysext/saltedpasswords/ext_tables.php

index 63ec20c..ae6134a 100644 (file)
@@ -218,17 +218,8 @@ class ImportantActions extends Action\AbstractAction implements Action\ActionInt
                                $message->setTitle('Administrator user not created');
                                $message->setMessage('A user with username ' . $username . ' exists already.');
                        } else {
-                               if (
-                                       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')
-                                       && \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('BE')
-                               ) {
-                                       // Needed to initialize the "saltMethods", which are defined in ext_localconf.php
-                                       require(\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('saltedpasswords') . 'ext_localconf.php');
-                                       $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE');
-                                       $hashedPassword = $saltFactory->getHashedPassword($password);
-                               } else {
-                                       $hashedPassword = md5($password);
-                               }
+                               $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE');
+                               $hashedPassword = $saltFactory->getHashedPassword($password);
 
                                $adminUserFields = array(
                                        'username' => $username,
index aca0706..344679d 100644 (file)
@@ -65,16 +65,11 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
                $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, username, password', 'be_users', $whereClause);
                if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                        $secure = TRUE;
-                       // Check against salted password
-                       if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')) {
-                               if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('BE')) {
-                                       /** @var $saltingObject \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
-                                       $saltingObject = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($row['password']);
-                                       if (is_object($saltingObject)) {
-                                               if ($saltingObject->checkPassword('password', $row['password'])) {
-                                                       $secure = FALSE;
-                                               }
-                                       }
+                       /** @var $saltingObject \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
+                       $saltingObject = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($row['password']);
+                       if (is_object($saltingObject)) {
+                               if ($saltingObject->checkPassword('password', $row['password'])) {
+                                       $secure = FALSE;
                                }
                        }
                        // Check against plain MD5
@@ -206,38 +201,32 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
                $value = $GLOBALS['LANG']->getLL('status_ok');
                $message = '';
                $severity = \TYPO3\CMS\Reports\Status::OK;
-               if (!\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')) {
+               /** @var \TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility $configCheck */
+               $configCheck = GeneralUtility::makeInstance('TYPO3\\CMS\\Saltedpasswords\\Utility\\ExtensionManagerConfigurationUtility');
+               $message = '<p>' . $GLOBALS['LANG']->getLL('status_saltedPasswords_infoText') . '</p>';
+               $messageDetail = '';
+               $flashMessage = $configCheck->checkConfigurationBackend(array(), new \TYPO3\CMS\Core\TypoScript\ConfigurationForm());
+               if (strpos($flashMessage, 'message-error') !== FALSE) {
                        $value = $GLOBALS['LANG']->getLL('status_insecure');
                        $severity = \TYPO3\CMS\Reports\Status::ERROR;
-                       $message .= $GLOBALS['LANG']->getLL('status_saltedPasswords_notInstalled');
-               } else {
-                       /** @var \TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility $configCheck */
-                       $configCheck = GeneralUtility::makeInstance('TYPO3\\CMS\\Saltedpasswords\\Utility\\ExtensionManagerConfigurationUtility');
-                       $message = '<p>' . $GLOBALS['LANG']->getLL('status_saltedPasswords_infoText') . '</p>';
-                       $messageDetail = '';
-                       $flashMessage = $configCheck->checkConfigurationBackend(array(), new \TYPO3\CMS\Core\TypoScript\ConfigurationForm());
-                       if (strpos($flashMessage, 'message-error') !== FALSE) {
-                               $value = $GLOBALS['LANG']->getLL('status_insecure');
-                               $severity = \TYPO3\CMS\Reports\Status::ERROR;
-                               $messageDetail .= $flashMessage;
-                       }
-                       if (strpos($flashMessage, 'message-warning') !== FALSE) {
-                               $severity = \TYPO3\CMS\Reports\Status::WARNING;
-                               $messageDetail .= $flashMessage;
-                       }
-                       if (strpos($flashMessage, 'message-information') !== FALSE) {
-                               $messageDetail .= $flashMessage;
-                       }
-                       $unsecureUserCount = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
-                       if ($unsecureUserCount > 0) {
-                               $value = $GLOBALS['LANG']->getLL('status_insecure');
-                               $severity = \TYPO3\CMS\Reports\Status::ERROR;
-                               $messageDetail .= '<div class="typo3-message message-warning">' . $GLOBALS['LANG']->getLL('status_saltedPasswords_notAllPasswordsHashed') . '</div>';
-                       }
-                       $message .= $messageDetail;
-                       if (empty($messageDetail)) {
-                               $message = '';
-                       }
+                       $messageDetail .= $flashMessage;
+               }
+               if (strpos($flashMessage, 'message-warning') !== FALSE) {
+                       $severity = \TYPO3\CMS\Reports\Status::WARNING;
+                       $messageDetail .= $flashMessage;
+               }
+               if (strpos($flashMessage, 'message-information') !== FALSE) {
+                       $messageDetail .= $flashMessage;
+               }
+               $unsecureUserCount = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
+               if ($unsecureUserCount > 0) {
+                       $value = $GLOBALS['LANG']->getLL('status_insecure');
+                       $severity = \TYPO3\CMS\Reports\Status::ERROR;
+                       $messageDetail .= '<div class="typo3-message message-warning">' . $GLOBALS['LANG']->getLL('status_saltedPasswords_notAllPasswordsHashed') . '</div>';
+               }
+               $message .= $messageDetail;
+               if (empty($messageDetail)) {
+                       $message = '';
                }
                return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_saltedPasswords'), $value, $message, $severity);
        }
index 76f850e..2f823a5 100644 (file)
@@ -96,9 +96,6 @@
                        <trans-unit id="status_saltedPasswords_infoText" xml:space="preserve">
                                <source>During the configuration check of saltedpasswords the following issues have been found:</source>
                        </trans-unit>
-                       <trans-unit id="status_saltedPasswords_notInstalled" xml:space="preserve">
-                               <source>The saltedpasswords extension is not installed. The passwords are only hashed with md5 which is considered to be insecure. Install and configure the saltedpasswords extension and run the scheduler task to convert all passwords to salted hashes.</source>
-                       </trans-unit>
                        <trans-unit id="status_saltedPasswords_notAllPasswordsHashed" xml:space="preserve">
                                <source>Some backend user passwords are found to be only md5 hashed. Run the scheduler task to convert all passwords to salted hashes.</source>
                        </trans-unit>
index 9a000eb..8fa2bfb 100644 (file)
@@ -58,16 +58,14 @@ Checking a password
 When you want to check a plain-text password against a salted user
 password hash, these are the steps to be done:
 
-- check if salted user password hashes is enabled for the desired TYPO3
-  mode (frontend/backend)
+- check if salted user password hashes is enabled for the TYPO3
+  mode (frontend only)
 
 - let the factory deliver an instance of the according hashing class
 
 - compare plain-text password with salted user password hash
 
-Example implementation for TYPO3 backend (here the check for enabled
-salted user password hashed for a specific TYPO3 mode might be
-omitted):
+Example implementation for TYPO3 frontend:
 
 ::
 
@@ -78,12 +76,10 @@ omitted):
    // keeps status if plain-text password matches given salted user password hash
    $success = FALSE;
 
-   if (\TYPO3\CMS\Core\Utility\GeneralUtility::isLoaded('saltedpasswords')) {
-           if (\TYPO3\CMS\Saltedpasswords\Utility::SaltedPasswordsUtility::isUsageEnabled('BE')) {
-                   $objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($saltedPassword);
-                   if (is_object($objSalt)) {
-                           $success = $objSalt->checkPassword($password, $saltedPassword);
-                   }
+   if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
+           $objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($saltedPassword);
+           if (is_object($objSalt)) {
+                   $success = $objSalt->checkPassword($password, $saltedPassword);
            }
    }
 
index 5d6044a..c3f9591 100644 (file)
@@ -15,20 +15,20 @@ if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('F
        unset($operations);
 }
 $GLOBALS['TCA']['be_users']['columns']['password']['config']['max'] = 100;
-if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('BE')) {
-       // Get eval field operations methods as array keys
-       $operations = array_flip(\TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', $GLOBALS['TCA']['be_users']['columns']['password']['config']['eval'], TRUE));
-       // Remove md5 and temporary password from the list of evaluated methods
-       unset($operations['md5'], $operations['password']);
-       // Append new methods to have "password" as last operation.
-       $operations['tx_saltedpasswords_eval_be'] = 1;
-       $operations['password'] = 1;
-       $GLOBALS['TCA']['be_users']['columns']['password']['config']['eval'] = implode(',', array_keys($operations));
-       unset($operations);
-       // Prevent md5 hashing on client side via JS
-       $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';
-       $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password2']['eval'] = '';
-}
+
+// Backend configuration for saltedpasswords
+// Get eval field operations methods as array keys
+$operations = array_flip(\TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', $GLOBALS['TCA']['be_users']['columns']['password']['config']['eval'], TRUE));
+// Remove md5 and temporary password from the list of evaluated methods
+unset($operations['md5'], $operations['password']);
+// Append new methods to have "password" as last operation.
+$operations['tx_saltedpasswords_eval_be'] = 1;
+$operations['password'] = 1;
+$GLOBALS['TCA']['be_users']['columns']['password']['config']['eval'] = implode(',', array_keys($operations));
+unset($operations);
+// Prevent md5 hashing on client side via JS
+$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';
+$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password2']['eval'] = '';
 // Add context sensitive help (csh) for scheduler task
 \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addLLrefForTCAdescr('_txsaltedpasswords', 'EXT:' . $_EXTKEY . '/locallang_csh_saltedpasswords.xlf');
 ?>
\ No newline at end of file