diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php index 787037cfb1..140c73ab26 100755 --- a/app/Http/Controllers/ProfileController.php +++ b/app/Http/Controllers/ProfileController.php @@ -156,6 +156,29 @@ class ProfileController extends Controller if (!Hash::check($request->input('current_password'), $user->password)) { $validator->errors()->add('current_password', trans('validation.hashed_pass')); } + + // This checks to make sure that the user's password isn't the same as their username, + // email address, first name or last name (see https://github.com/snipe/snipe-it/issues/8661) + // While this is handled via SaveUserRequest form request in other places, we have to do this manually + // here because we don't have the username, etc form fields available in the profile password change + // form. + + // There may be a more elegant way to do this in the future. + + // First let's see if that option is enabled in the settings + if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields')) { + \Log::debug('disallow_same_pwd_as_user_fields is ON'); + if (($request->input('password') == $user->username) || + ($request->input('password') == $user->email) || + ($request->input('password') == $user->first_name) || + ($request->input('password') == $user->last_name)) + { + $validator->errors()->add('password', trans('validation.disallow_same_pwd_as_user_fields')); + } + } + + + }); diff --git a/app/Providers/ValidationServiceProvider.php b/app/Providers/ValidationServiceProvider.php index b8e028226e..2a675fa8d1 100644 --- a/app/Providers/ValidationServiceProvider.php +++ b/app/Providers/ValidationServiceProvider.php @@ -91,6 +91,42 @@ class ValidationServiceProvider extends ServiceProvider }); + // This ONLY works for create/update user forms, since the Update Profile Password form doesn't + // include any of these additional validator fields + Validator::extend('disallow_same_pwd_as_user_fields', function ($attribute, $value, $parameters, $validator) { + + $data = $validator->getData(); + + if (array_key_exists("username", $data)) { + if ($data['username'] == $data['password']) { + return false; + } + } + + if (array_key_exists("email", $data)) { + if ($data['email'] == $data['password']) { + return false; + } + } + + if (array_key_exists("first_name", $data)) { + if ($data['first_name'] == $data['password']) { + return false; + } + } + + if (array_key_exists("last_name", $data)) { + if ($data['last_name'] == $data['password']) { + return false; + } + } + + + return true; + + + }); + Validator::extend('letters', function ($attribute, $value, $parameters) { return preg_match('/\pL/', $value); }); diff --git a/resources/lang/en/validation.php b/resources/lang/en/validation.php index d7ddb8c0d1..7e584d67ea 100644 --- a/resources/lang/en/validation.php +++ b/resources/lang/en/validation.php @@ -99,7 +99,7 @@ return array( 'url' => 'The :attribute format is invalid.', "unique_undeleted" => "The :attribute must be unique.", "import_field_empty" => "The value of the Import Field shouldn't be empty", - "same_pwd_as_user_fields" => 'The password cannot be the same as the username, email address, or first or last name.', + "disallow_same_pwd_as_user_fields" => 'The password cannot be the same as the username, email address, or first or last name.', /* |-------------------------------------------------------------------------- diff --git a/resources/views/settings/security.blade.php b/resources/views/settings/security.blade.php index 9f5d9bf1ec..ad05725c28 100644 --- a/resources/views/settings/security.blade.php +++ b/resources/views/settings/security.blade.php @@ -99,7 +99,7 @@