bug fixes password expired global (openemr#7068)

* bug fixes for 7.0.2 patch 1 - wrap login twig loader in try/catch so user is notified - ignore ($GLOBALS['password_expiration_days'] if is set to blank/empty string in password auth validation. - report password expired to error log as a notice. * - style fixes * - update global password expiration to 0 if blank in constructor
bradymiller · Dec 4, 2023 · d3abc55 · d3abc55
1 parent 4dfddef
commit d3abc55
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/interface/login/login.php b/interface/login/login.php
@@ -34,6 +34,9 @@
 use OpenEMR\Services\FacilityService;
 use OpenEMR\Services\LogoService;
 use Symfony\Component\EventDispatcher\EventDispatcher;
+use Twig\Error\LoaderError;
+use Twig\Error\RuntimeError;
+use Twig\Error\SyntaxError;
 
 $ignoreAuth = true;
 // Set $sessionAllowWrite to true to prevent session concurrency issues during authorization related code
@@ -262,4 +265,8 @@ function getLanguagesList(): array
 $templatePageEvent = new TemplatePageEvent('login/login.php', [], $layout, $viewArgs);
 $event = $ed->dispatch($templatePageEvent, TemplatePageEvent::RENDER_EVENT);
 
-echo $t->render($event->getTwigTemplate(), $event->getTwigVariables());
+try {
+    echo $t->render($event->getTwigTemplate(), $event->getTwigVariables());
+} catch (LoaderError | RuntimeError | SyntaxError $e) {
+    echo "<p style='font-size:24px; color: red;'>" . text($e->getMessage()) . '</p>';
+}
diff --git a/src/Common/Auth/AuthUtils.php b/src/Common/Auth/AuthUtils.php
@@ -106,6 +106,11 @@ public function __construct($mode = '')
                 privStatement("UPDATE `globals` SET `gl_value` = ? WHERE `gl_name` = 'hidden_auth_dummy_hash'", [$this->dummyHash]);
             }
         }
+        if ($GLOBALS['password_expiration_days'] === '') {
+            $GLOBALS['password_expiration_days'] = 0;
+            sqlQuery("UPDATE `globals` SET `gl_value` = ? WHERE `globals`.`gl_name` = 'password_expiration_days' AND `globals`.`gl_index` = '0' ", ['0']);
+            error_log("Blank global password_expiration_days updated to 0");
+        }
     }
 
     /**
@@ -450,6 +455,7 @@ private function confirmUserPassword($username, &$password)
                 $this->incrementIpLoginFailedCounter($ip['ip_string']);
             }
             EventAuditLogger::instance()->newEvent($event, $username, $authGroup, 0, $beginLog . ": " . $ip['ip_string'] . ". user password is expired");
+            error_log($username . ": " . $ip['ip_string'] . ". user password is expired");
             $this->clearFromMemory($password);
             return false;
         }
@@ -998,7 +1004,7 @@ private function testPasswordStrength(&$pwd)
 
     private function checkPasswordNotExpired($user)
     {
-        if (($GLOBALS['password_expiration_days'] == 0) || self::useActiveDirectory($user)) {
+        if ((empty($GLOBALS['password_expiration_days'] ?? 0)) || self::useActiveDirectory($user)) {
             // skip the check if turned off or using active directory for login
             return true;
         }
@@ -1007,6 +1013,7 @@ private function checkPasswordNotExpired($user)
             $current_date = date("Y-m-d");
             $expiredPlusGraceTime = date("Y-m-d", strtotime($query['last_update_password'] . "+" . ((int)$GLOBALS['password_expiration_days'] + (int)$GLOBALS['password_grace_time']) . " days"));
             if (strtotime($current_date) > strtotime($expiredPlusGraceTime)) {
+                error_log("OpenEMR Notice: Password is expired and outside of grace period. User: " . $user);
                 return false;
             }
         } else {