├── LICENSE
├── README.md
└── plugin.php


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Vaughn Van Asten
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Change Password
 2 | ===============
 3 | 
 4 | This is a [YOURLS](http://yourls.org/) plugin to allow users to change their password via the administration interface and stores a hashed version in the configuration file. You can enforce minimum length and some complexity requirements.
 5 | 
 6 | Requirements
 7 | ------------
 8 | - YOURLS version 1.7 or greater
 9 | - Passwords must already be hashed by YOURLS
10 | 
11 | Installation
12 | ------------
13 | - In `/user/plugins` create a directory named `change-password`
14 | - Copy these files to that directory
15 | - Activate this plugin on the manage plugins page
16 | 
17 | Configuration
18 | -------------
19 | By default this plugin enforces a minimum password length of 6 characters. You can change that and also enforce any of the following:
20 | - Require at least one digit
21 | - Require at least one special character
22 | - Require both uppercase and lowercase letters
23 |  
24 | Place the following directives at the end of `config.php` and change them to meet your needs:
25 | ```
26 | /**
27 |  * Settings for Change Password plugin
28 |  */
29 |  define('VVA_CHANGE_PASSWORD_MINIMUM_LENGTH', 6 );
30 |  define('VVA_CHANGE_PASSWORD_USE_DIGITS', FALSE );
31 |  define('VVA_CHANGE_PASSWORD_USE_SPECIAL', FALSE );
32 |  define('VVA_CHANGE_PASSWORD_USE_UPPERCASE', FALSE );
33 | ```
34 | 
35 | Notes
36 | -----
37 | If a new version of YOURLS implements user management in the database this plugin will be obsolete. This is intended as a workaround until then.
38 | 
39 | Version
40 | -------
41 | 1.0
42 | 
43 | Source
44 | ------
45 | https://github.com/vvanasten/YOURLS-Change-Password
46 | 
47 | License
48 | -------
49 | MIT


--------------------------------------------------------------------------------
/plugin.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /*
  3 | Plugin Name: Change Password
  4 | Plugin URI: https://github.com/vvanasten/YOURLS-Change-Password
  5 | Description: Users can change their password via the admin interface
  6 | Version: 1.0
  7 | Author: Vaughn Van Asten <vaughn.vanasten@gmail.com>
  8 | Author URI: http://github.com/vvanasten
  9 | */
 10 | 
 11 | // No direct call
 12 | if( ! defined( 'YOURLS_ABSPATH' ) ) die();
 13 | 
 14 | /**
 15 |  * Set default password requirements. Default is minimum 6 characters.
 16 |  * You may also enable the following:
 17 |  * - Require at least one digit
 18 |  * - Require at lesat one special character
 19 |  * - Require both uppercase and lowercase letters
 20 |  * 
 21 |  * You can change these options in your config.php file.
 22 |  * This example enables everything and a minimum of 8 characters:
 23 |  * 
 24 |  * define('VVA_CHANGE_PASSWORD_MINIMUM_LENGTH', 8 );
 25 |  * define('VVA_CHANGE_PASSWORD_USE_DIGITS', TRUE );
 26 |  * define('VVA_CHANGE_PASSWORD_USE_SPECIAL', TRUE );
 27 |  * define('VVA_CHANGE_PASSWORD_USE_UPPERCASE', TRUE );
 28 |  */
 29 | if( ! defined( 'VVA_CHANGE_PASSWORD_MINIMUM_LENGTH' ) )
 30 | 	define( 'VVA_CHANGE_PASSWORD_MINIMUM_LENGTH', 6 );
 31 | 
 32 | if( ! defined( 'VVA_CHANGE_PASSWORD_USE_DIGITS' ) )
 33 | 	define( 'VVA_CHANGE_PASSWORD_USE_DIGITS', FALSE );
 34 | 
 35 | if( ! defined( 'VVA_CHANGE_PASSWORD_USE_SPECIAL' ) )
 36 | 	define( 'VVA_CHANGE_PASSWORD_USE_SPECIAL', FALSE );
 37 | 
 38 | if( ! defined( 'VVA_CHANGE_PASSWORD_USE_UPPERCASE' ) )
 39 | 	define( 'VVA_CHANGE_PASSWORD_USE_UPPERCASE', FALSE );
 40 | 
 41 | /**
 42 |  * Add hooks required for plugin
 43 |  */
 44 | yourls_add_action( 'plugins_loaded',	'vva_change_password_register_page' );
 45 | yourls_add_filter( 'logout_link',		'vva_change_password_logout_link' );
 46 | yourls_add_filter( 'admin_sublinks',	'vva_change_password_admin_sublinks' );
 47 | 
 48 | /**
 49 |  * Register the change password page
 50 |  */
 51 | function vva_change_password_register_page()
 52 | {
 53 | 	yourls_register_plugin_page( 'change_password', 'Change Password', 'vva_change_password_display_page' );
 54 | }
 55 | 
 56 | /**
 57 |  * Add the change password link next to logout so it makes sense in the UI
 58 |  * 
 59 |  * @param string $logout_link
 60 |  * @return string $logout_link
 61 |  */
 62 | function vva_change_password_logout_link ( $logout_link )
 63 | {
 64 | 	$admin_pages = yourls_list_plugin_admin_pages();
 65 | 	$change_password_url = $admin_pages[ 'change_password' ][ 'url' ];
 66 | 	
 67 | 	$logout_link = rtrim( $logout_link, ')' );
 68 | 	$logout_link .= sprintf( ' | <a href="%s">Change password</a>)', $change_password_url );
 69 | 	
 70 | 	return $logout_link;
 71 | }
 72 | 
 73 | /**
 74 |  * Remove change password link from sublist of manage plugins since we're
 75 |  * adding it to the logout link
 76 |  * 
 77 |  * @param array $admin_sublinks
 78 |  * @return array $admin_sublinks
 79 |  */
 80 | function vva_change_password_admin_sublinks( $admin_sublinks )
 81 | {
 82 | 	unset( $admin_sublinks[ 'plugins' ][ 'change_password' ] );
 83 | 	
 84 | 	return $admin_sublinks;
 85 | }
 86 | 
 87 | /**
 88 |  * Display the change password page
 89 |  */
 90 | function vva_change_password_display_page()
 91 | {	
 92 | 	// verify we have all necessary features
 93 | 	if ( ! vva_change_password_verify_capabilities() ) return;
 94 | 	
 95 | 	$error_message		= NULL;
 96 | 	$form_submitted		= FALSE;
 97 | 	$password_changed	= FALSE;
 98 | 	
 99 | 	// if a form was submitted check for errors & minimum requirements
100 | 	if ( isset ( $_REQUEST[ 'submit' ] ) )
101 | 	{
102 | 		$error_message = vva_change_password_get_form_errors();
103 | 		
104 | 		$form_submitted = TRUE;
105 | 	}
106 | 	
107 | 	// if the new password meets requirements update it
108 | 	if ( $form_submitted && empty( $error_message ) )
109 | 	{
110 | 		$password_changed = vva_change_password_write_file( $_REQUEST[ 'new_password' ] );
111 | 		
112 | 		if ( ! $password_changed ) return;
113 | 	}
114 | 	
115 | 	// show password updated message or the form
116 | 	if ( $password_changed )
117 | 	{
118 | 		?>
119 | 		<div id="password_updated" class="success">
120 | 			<p>Your password has been updated.</p>
121 | 			<p><a href="<?php echo yourls_admin_url( 'index.php' ) ?>">Continue</a></p>
122 | 		</div>
123 | 		<?php
124 | 	}
125 | 	else
126 | 	{
127 | 		vva_change_password_display_form( $error_message );
128 | 	}
129 | }
130 | 
131 | /**
132 |  * Display update password form
133 |  * 
134 |  * @param string $error_message
135 |  */
136 | function vva_change_password_display_form( $error_message = NULL )
137 | {
138 | 	?>
139 | 	<h2>Change Password</h2>
140 | 	<p>Your new password must:</p>
141 | 	<ul>
142 | 		<li>Be a minimum of <?php echo VVA_CHANGE_PASSWORD_MINIMUM_LENGTH; ?> characters.</li>
143 | 		<?php 
144 | 		if ( VVA_CHANGE_PASSWORD_USE_DIGITS ) echo '<li>Use at least one digit.</li>';
145 | 		if ( VVA_CHANGE_PASSWORD_USE_SPECIAL ) echo '<li>Use at least one special character.</li>';
146 | 		if ( VVA_CHANGE_PASSWORD_USE_UPPERCASE ) echo '<li>Use at least one lowercase and one uppercase letter.</li>';
147 | 		?>
148 | 	</ul>
149 | 	<div id="change_password">
150 | 		<form method="post" action="">
151 | 			<?php if ( ! empty( $error_message ) ) printf( '<p class="error">%s</p>', $error_message ); ?>
152 | 			<p>
153 | 				<label for="current_password">Current Password</label><br />
154 | 				<input type="password" id="current_password" name="current_password" size="30" class="text" />
155 | 			</p>
156 | 			<p>
157 | 				<label for="new_password">New Password</label><br />
158 | 				<input type="password" id="new_password" name="new_password" size="30" class="text" />
159 | 			</p>
160 | 			<p>
161 | 				<label for="confirm_new_password">Confirm New Password</label><br />
162 | 				<input type="password" id="confirm_new_password" name="confirm_new_password" size="30" class="text" />
163 | 			</p>
164 | 			<p>
165 | 				<input type="submit" id="submit" name="submit" value="Change Password" class="button" />
166 | 			</p>
167 | 		</form>
168 | 	</div>
169 | 	<?php
170 | }
171 | 
172 | /**
173 |  * Verify submitted form meets requirements
174 |  * - Current password must be correct
175 |  * - New password must match confirm new password
176 |  * - Minimum length met
177 |  * - If set, have one digit
178 |  * - If set, have one special character
179 |  * - If set, have at least one uppercase and one lowercase letter
180 |  * 
181 |  * @return string $error_message
182 |  */
183 | function vva_change_password_get_form_errors()
184 | {
185 | 	$error_message = NULL;
186 | 	
187 | 	if ( ! yourls_check_password_hash( YOURLS_USER, $_REQUEST[ 'current_password' ] ) )
188 | 	{
189 | 		$error_message .= 'Error: your current password is incorrect<br />';
190 | 	}
191 | 	
192 | 	if ( $_REQUEST[ 'new_password' ] !== $_REQUEST[ 'confirm_new_password' ] )
193 | 	{
194 | 		$error_message .= 'Error: New Password and Confirm New Password do not match<br />';
195 | 	}
196 | 	
197 | 	if ( strlen( $_REQUEST[ 'new_password' ] ) < VVA_CHANGE_PASSWORD_MINIMUM_LENGTH )
198 | 	{
199 | 		$error_message .= sprintf( 'Error: New Password must be at least %d characters<br />', VVA_CHANGE_PASSWORD_MINIMUM_LENGTH );
200 | 	}
201 | 	
202 | 	if ( VVA_CHANGE_PASSWORD_USE_DIGITS && ! preg_match( '/[0-9]+/', $_REQUEST[ 'new_password' ] ) )
203 | 	{
204 | 		$error_message .= 'Error: New Password must contain at least one digit<br />';
205 | 	}
206 | 	
207 | 	if ( VVA_CHANGE_PASSWORD_USE_SPECIAL && ! preg_match( '/[\W_]+/', $_REQUEST[ 'new_password' ] ) )
208 | 	{
209 | 		$error_message .= 'Error: New Password must contain at least one special character<br />';
210 | 	}
211 | 	
212 | 	if ( VVA_CHANGE_PASSWORD_USE_UPPERCASE &&
213 | 		( ! preg_match( '/[a-z]+/', $_REQUEST[ 'new_password' ] ) || ! preg_match( '/[A-Z]+/', $_REQUEST[ 'new_password' ] ) )
214 | 		)
215 | 	{
216 | 		$error_message .= 'Error: New Password must contain at least one lowercase and one uppercase letter<br />';
217 | 	}
218 | 	
219 | 	return $error_message;
220 | }
221 | 
222 | /**
223 |  * Update current user's password in config file
224 |  * 
225 |  * Borrowed heavily from yourls_hash_passwords_now()
226 |  * 
227 |  * @param string $new_password
228 |  * @return boolean
229 |  */
230 | function vva_change_password_write_file( $new_password )
231 | {
232 | 	$configdata = file_get_contents( YOURLS_CONFIGFILE );
233 | 	if ( $configdata == FALSE )
234 | 	{
235 | 		echo '<p class="error">Error: Cannot read config file</p>';
236 | 		return FALSE;
237 | 	}
238 | 	
239 | 	global $yourls_user_passwords;
240 | 	$current_password = $yourls_user_passwords[ YOURLS_USER ];
241 | 	$user = YOURLS_USER;
242 | 	
243 | 	$hash = yourls_phpass_hash( $new_password );
244 | 	// PHP would interpret $ as a variable, so replace it in storage.
245 | 	$hash = str_replace( '$', '!', $hash );
246 | 	
247 | 	$quotes = "'" . '"';
248 | 	$pattern = "/[$quotes]${user}[$quotes]\s*=>\s*[$quotes]" . preg_quote( $current_password, '/' ) . "[$quotes]/";
249 | 	$replace = "'$user' => 'phpass:$hash'";
250 | 	$count = 0;
251 | 	$configdata = preg_replace( $pattern, $replace, $configdata, -1, $count );
252 | 	
253 | 	// There should be exactly one replacement. Otherwise, fast fail.
254 | 	if ( $count != 1 )
255 | 	{
256 | 		echo '<p class="error">Error: Unable to update password</p>';
257 | 		return FALSE;
258 | 	}
259 | 	
260 | 	$success = file_put_contents( YOURLS_CONFIGFILE, $configdata );
261 | 	if ( $success === FALSE )
262 | 	{
263 | 		echo '<p class="error">Error: Unable to update config file</p>';
264 | 		return FALSE;
265 | 	}
266 | 	
267 | 	return TRUE;
268 | }
269 | 
270 | /**
271 |  * Verify YOURLS >= 1.7, passwords are hashed, and config file is writable
272 |  * 
273 |  * @return bool
274 |  */
275 | function vva_change_password_verify_capabilities()
276 | {
277 | 	$error = FALSE;
278 | 	
279 | 	if ( version_compare( YOURLS_VERSION, '1.7', 'lt' ) )
280 | 	{
281 | 		$error .= 'Error: This plugin requires YOURLS version 1.7 or greater<br />';
282 | 	}
283 | 	
284 | 	if ( yourls_has_cleartext_passwords() )
285 | 	{
286 | 		$error .= 'Error: This plugin requires stored passwords to be hashed<br />';
287 | 	}
288 | 	
289 | 	if ( ! is_readable( YOURLS_CONFIGFILE ) )
290 | 		
291 | 	{
292 | 		$error .= 'Error: Cannot read config file<br />';
293 | 	}
294 | 		
295 | 	if ( ! is_writable( YOURLS_CONFIGFILE ) )
296 | 	{
297 | 		$error .= 'Error: Cannot write config file<br />';
298 | 	}
299 | 	
300 | 	if ( $error )
301 | 	{
302 | 		echo '<p class="error">' . $error . '</p>';
303 | 		
304 | 		return FALSE;
305 | 	}
306 | 	else
307 | 	{
308 | 		return TRUE;
309 | 	}
310 | }
311 | 
312 | // EOF */
313 | 


--------------------------------------------------------------------------------