contao · ralfhartmann · Oct 13, 2013 · Oct 13, 2013
diff --git a/system/modules/core/classes/FrontendUser.php b/system/modules/core/classes/FrontendUser.php
@@ -157,6 +157,18 @@ public function authenticate()
 		// Default authentication
 		if (parent::authenticate())
 		{
+			// Check if the user has to change the password
+			if ($this->pwChange)
+			{
+				// we are here because of the login module, do not logout
+				if (\Session::getInstance()->get('PASSWORD_CHANGE_REQUIRED'))
+				{
+					\Session::getInstance()->remove('PASSWORD_CHANGE_REQUIRED');
+					return false;
+				}
+				$this->logout();
+				$this->reload();
+			}
 			return true;
 		}
 
@@ -184,6 +196,7 @@ public function authenticate()
 			return false;
 		}
 
+		/* was called by parent */
 		$this->setUserFromDb();
 
 		// Last login date

diff --git a/system/modules/core/config/autoload.php b/system/modules/core/config/autoload.php
@@ -324,6 +324,7 @@
 	'mod_html'            => 'system/modules/core/templates/modules',
 	'mod_login_1cl'       => 'system/modules/core/templates/modules',
 	'mod_login_2cl'       => 'system/modules/core/templates/modules',
+	'mod_pwchange_1cl'    => 'system/modules/core/templates/modules',
 	'mod_logout_1cl'      => 'system/modules/core/templates/modules',
 	'mod_logout_2cl'      => 'system/modules/core/templates/modules',
 	'mod_message'         => 'system/modules/core/templates/modules',

diff --git a/system/modules/core/dca/tl_member.php b/system/modules/core/dca/tl_member.php
@@ -117,7 +117,7 @@
 	// Subpalettes
 	'subpalettes' => array
 	(
-		'login'                       => 'username,password',
+		'login'                       => 'pwChange,username,password',
 		'assignDir'                   => 'homeDir'
 	),
 
@@ -305,7 +305,7 @@
 			'exclude'                 => true,
 			'filter'                  => true,
 			'inputType'               => 'checkbox',
-			'eval'                    => array('submitOnChange'=>true),
+			'eval'                    => array('submitOnChange'=>true, 'tl_class'=>'w50 clr'),
 			'sql'                     => "char(1) NOT NULL default ''"
 		),
 		'username' => array
@@ -316,7 +316,7 @@
 			'sorting'                 => true,
 			'flag'                    => 1,
 			'inputType'               => 'text',
-			'eval'                    => array('mandatory'=>true, 'unique'=>true, 'rgxp'=>'extnd', 'nospace'=>true, 'maxlength'=>64, 'feEditable'=>true, 'feViewable'=>true, 'feGroup'=>'login'),
+			'eval'                    => array('mandatory'=>true, 'unique'=>true, 'rgxp'=>'extnd', 'nospace'=>true, 'maxlength'=>64, 'feEditable'=>true, 'feViewable'=>true, 'feGroup'=>'login', 'tl_class'=>'w50 clr'),
 			'sql'                     => "varchar(64) COLLATE utf8_bin NOT NULL default ''"
 		),
 		'password' => array
@@ -331,6 +331,23 @@
 			),
 			'sql'                     => "varchar(128) NOT NULL default ''"
 		),
+		'pwChange' => array
+		(
+				'label'                   => &$GLOBALS['TL_LANG']['tl_member']['pwChange'],
+				'exclude'                 => true,
+				'inputType'               => 'checkbox',
+				'filter'                  => true,
+				'sql'                     => "char(1) NOT NULL default ''",
+				'eval'                    => array('tl_class'=>'w50')
+		),
+		'oldPasswords' => array
+		(
+				'label'                   => &$GLOBALS['TL_LANG']['MSC']['oldpasswords'],
+				'exclude'                 => true,
+				'inputType'               => 'none',
+				'eval'                    => array('preserveTags'=>true, 'beEditable' => false, 'feEditable'=>false, 'feGroup'=>'login'),
+				'sql'                     => "blob NULL"
+		),
 		'assignDir' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_member']['assignDir'],

diff --git a/system/modules/core/dca/tl_module.php b/system/modules/core/dca/tl_module.php
@@ -113,7 +113,7 @@
 		'login'                       => '{title_legend},name,headline,type;{config_legend},autologin;{redirect_legend},jumpTo,redirectBack;{template_legend:hide},cols;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
 		'logout'                      => '{title_legend},name,headline,type;{redirect_legend},jumpTo,redirectBack;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
 		'personalData'                => '{title_legend},name,headline,type;{config_legend},editable;{redirect_legend},jumpTo;{template_legend:hide},memberTpl,tableless;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
-		'registration'                => '{title_legend},name,headline,type;{config_legend},editable,newsletters,disableCaptcha;{account_legend},reg_groups,reg_allowLogin,reg_assignDir;{redirect_legend},jumpTo;{email_legend:hide},reg_activate;{template_legend:hide},memberTpl,tableless;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
+		'registration'                => '{title_legend},name,headline,type;{config_legend},editable,newsletters,disableCaptcha;{account_legend},reg_groups,reg_allowLogin,reg_pwChange,reg_assignDir;{redirect_legend},jumpTo;{email_legend:hide},reg_activate;{template_legend:hide},memberTpl,tableless;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
 		'lostPassword'                => '{title_legend},name,headline,type;{config_legend},reg_skipName,disableCaptcha;{redirect_legend},jumpTo;{email_legend:hide},reg_jumpTo,reg_password;{template_legend:hide},tableless;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
 		'closeAccount'                => '{title_legend},name,headline,type;{config_legend},reg_close;{redirect_legend},jumpTo;{template_legend:hide},tableless;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
 		'form'                        => '{title_legend},name,headline,type;{include_legend},form;{protected_legend:hide},protected;{expert_legend:hide},guests,cssID,space',
@@ -632,7 +632,8 @@
 			'label'                   => &$GLOBALS['TL_LANG']['tl_module']['reg_allowLogin'],
 			'exclude'                 => true,
 			'inputType'               => 'checkbox',
-			'sql'                     => "char(1) NOT NULL default ''"
+			'sql'                     => "char(1) NOT NULL default ''",
+			'eval'                    => array('tl_class'=>'w50 clr')
 		),
 		'reg_skipName' => array
 		(

diff --git a/system/modules/core/languages/en/default.xlf b/system/modules/core/languages/en/default.xlf
@@ -1424,6 +1424,9 @@ This e-mail has been generated by Contao. You can not reply to it directly.
       <trans-unit id="MSC.emptyField">
         <source>Please enter your username and password!</source>
       </trans-unit>
+      <trans-unit id="MSC.emptyPasswordField">
+        <source>Please enter a password!</source>
+      </trans-unit>
       <trans-unit id="MSC.confirmation">
         <source>Confirmation</source>
       </trans-unit>

diff --git a/system/modules/core/languages/en/tl_member.xlf b/system/modules/core/languages/en/tl_member.xlf
@@ -215,6 +215,12 @@
       <trans-unit id="tl_member.toggle.1">
         <source>Activate/deactivate member ID %s</source>
       </trans-unit>
+      <trans-unit id="tl_member.pwChange.0">
+        <source>Password change required</source>
+      </trans-unit>
+      <trans-unit id="tl_member.pwChange.1">
+        <source>Make the member change his password upon the next login.</source>
+      </trans-unit>
     </body>
   </file>
 </xliff>
diff --git a/system/modules/core/languages/en/tl_module.xlf b/system/modules/core/languages/en/tl_module.xlf
@@ -581,6 +581,12 @@ Please click ##link## to set the new password. If you did not request this e-mai
       <trans-unit id="tl_module.pasteafter.1">
         <source>Paste after module ID %s</source>
       </trans-unit>
+      <trans-unit id="tl_module.password_change_info">
+        <source>The administrator wants you to change your password.</source>
+      </trans-unit>
+      <trans-unit id="tl_module.old_password_forbidden">
+        <source>This password has already been used.</source>
+      </trans-unit>
     </body>
   </file>
 </xliff>
diff --git a/system/modules/core/library/Contao/User.php b/system/modules/core/library/Contao/User.php
@@ -217,6 +217,27 @@ public function authenticate()
 	}
 
 
+	/**
+	 *
+	 * Checks "crypt" passwords only
+	 *
+	 * @param string $strCrypted The crypted password
+	 * @param string $strPlain   The plain password
+	 *
+	 * @return boolean true, if the passwords "match", else false
+	 *
+	 */
+	public static function checkCryptPassword($strCrypted, $strPlain)
+	{
+		if (\Encryption::test($strCrypted))
+		{
+			return  (crypt($strPlain, $strCrypted) == $strCrypted);
+		}
+
+		return false;
+	}
+
+
 	/**
 	 * Try to login the current user
 	 *
@@ -303,7 +324,7 @@ public function login()
 		// The password has been generated with crypt()
 		if (\Encryption::test($this->password))
 		{
-			$blnAuthenticated = (crypt(\Input::post('password', true), $this->password) == $this->password);
+			$blnAuthenticated = \User::checkCryptPassword($this->password, \Input::post('password', true));
 		}
 		else
 		{