--- loncom/interface/lonpreferences.pm	2019/08/21 22:41:13	1.235
+++ loncom/interface/lonpreferences.pm	2020/02/09 04:43:20	1.236
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Preferences
 #
-# $Id: lonpreferences.pm,v 1.235 2019/08/21 22:41:13 raeburn Exp $
+# $Id: lonpreferences.pm,v 1.236 2020/02/09 04:43:20 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1273,18 +1273,18 @@ sub passwordchanger {
         $r->print(Apache::loncommon::start_page('Personal Data'));
         $r->print(Apache::lonhtmlcommon::breadcrumbs('Change Password'));
     }
-    my ($blocked,$blocktext) =
-        &Apache::loncommon::blocking_status('passwd');
-    if ($blocked) {
-        $r->print('<p class="LC_warning">'.$blocktext.'</p>');
-        return;
-    }
     if ((!defined($caller)) || ($caller eq 'preferences')) {
         $user = $env{'user.name'};
         $domain = $env{'user.domain'};
         if (!defined($caller)) {
             $caller = 'preferences';
         }
+        my ($blocked,$blocktext) =
+            &Apache::loncommon::blocking_status('passwd');
+        if ($blocked) {
+            $r->print('<p class="LC_warning">'.$blocktext.'</p>');
+            return;
+        }
     } elsif ($caller eq 'reset_by_email') {
         my %data = &Apache::lonnet::tmpget($mailtoken);
         if (keys(%data) == 0) {
@@ -1301,6 +1301,12 @@ sub passwordchanger {
                 $user = $data{'username'};
                 $domain = $data{'domain'};
                 $currentpass = $data{'temppasswd'};
+                my ($blocked,$blocktext) =
+                    &Apache::loncommon::blocking_status('passwd',$user,$domain);
+                if ($blocked) {
+                    $r->print('<p class="LC_warning">'.$blocktext.'</p>');
+                    return;
+                }
             } else {
                 $r->print(
                     '<p class="LC_warning">'
@@ -1360,7 +1366,7 @@ sub passwordchanger {
 	my $jsh=Apache::File->new($include."/londes.js");
 	$r->print(<$jsh>);
     }
-    $r->print(&jscript_send($caller,$extrafields));
+    $r->print(&jscript_send($caller,$domain,$currentauth,$extrafields));
     $r->print(<<ENDFORM);
 $errormessage
 
@@ -1377,11 +1383,105 @@ ENDFORM
 }
 
 sub jscript_send {
-    my ($caller,$extrafields) = @_;
+    my ($caller,$domain,$currentauth,$extrafields) = @_;
+    my ($min,$max,$rulestr,$numrules);
+    $min = $Apache::lonnet::passwdmin;
+    my %js_lt = &Apache::lonlocal::texthash(
+              uc => 'New password needs at least one upper case letter',
+              lc => 'New password needs at least one lower case letter',
+              num => 'New password needs at least one number',
+              spec => 'New password needs at least one non-alphanumeric',
+              blank1 => 'Empty Password field',
+              blank2 => 'Empty Confirm Password field',
+              mismatch => 'Contents of Password and Confirm Password fields must match',
+              fail => 'Please fix the following:',
+    );
+    &js_escape(\%js_lt);
+    if ($currentauth eq 'internal:') {
+        if ($domain ne '') {
+            my %passwdconf = &Apache::lonnet::get_passwdconf($domain);
+            if (keys(%passwdconf)) {
+                if ($passwdconf{min}) {
+                    $min = $passwdconf{min};
+                }
+                if ($passwdconf{max}) {
+                    $max = $passwdconf{max};
+                    $js_lt{'long'} = &js_escape(&mt('Maximum password length: [_1]',$max));
+                }
+                if (ref($passwdconf{chars}) eq 'ARRAY') {
+                    if (@{$passwdconf{chars}}) {
+                        $rulestr =  join('","',@{$passwdconf{chars}});
+                        $numrules = scalar(@{$passwdconf{chars}});
+                    }
+                }
+            }
+        }
+    }
+    $js_lt{'short'} = &js_escape(&mt('Minimum password length: [_1]',$min));
+
+    my $passwdcheck = <<"ENDJS";
+        var errors = new Array();
+        var min = parseInt("$min") || 0;
+        var currauth = "$currentauth";
+        if (this.document.client.elements.newpass_1.value == '') {
+            errors.push("$js_lt{'blank1'}");
+        }
+        if (this.document.client.elements.newpass_2.value == '') {
+            errors.push("$js_lt{'blank2'}");
+        }
+        if (errors.length == 0) {
+            if (this.document.client.elements.newpass_1.value !=  this.document.client.elements.newpass_2.value) {
+                errors.push("$js_lt{'mismatch'}");
+            }
+            var posspass = this.document.client.elements.newpass_1.value;
+            if (min > 0) {
+                if (posspass.length < min) {
+                    errors.push("$js_lt{'short'}");
+                }
+            }
+            if (currauth == 'internal:') {
+                var max = parseInt("$max") || 0;
+                if (max > 0) {
+                    if (posspass.length > max) {
+                        errors.push("$js_lt{'long'}");
+                    }
+                }
+                var numrules = parseInt("$numrules") || 0;
+                if (numrules > 0) {
+                    var rules = new Array("$rulestr");
+                    for (var i=0; i<rules.length; i++) {
+                        if (rules[i] == 'uc') {
+                            if (!posspass.match(/[A-Z]/)) {
+                                errors.push("$js_lt{'uc'}");
+                            }
+                        } else if (rules[i] == 'lc') {
+                            if (!posspass.match(/[a-z]/)) {
+                                errors.push("$js_lt{'lc'}");
+                            }
+                        } else if (rules[i] == 'num') {
+                            if (!posspass.match(/\\d/)) {
+                                errors.push("$js_lt{'num'}");
+                            }
+                        } else if (rules[i] == 'spec') {
+                            var pattern = /^[!@#$%^&*()_+\\-=\\[\\]{};':"\\\|,.<a>\\/?]/;
+                            if (!posspass.match(pattern)) {
+                                errors.push("$js_lt{'spec'}");
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        if (errors.length > 0) {
+            alert("$js_lt{'fail'}"+"\\n\\n"+errors.join("\\n"));
+            return;
+        }
+ENDJS
     my $output = qq|
 <script type="text/javascript" language="JavaScript">
 
     function send() {
+$passwdcheck
         uextkey=this.document.client.elements.ukey_cpass.value;
         lextkey=this.document.client.elements.lkey_cpass.value;
         initkeys();
@@ -1522,14 +1622,8 @@ sub server_form {
 }
 
 sub verify_and_change_password {
-    my ($r,$caller,$mailtoken,$ended) = @_;
+    my ($r,$caller,$mailtoken,$timelimit,$extrafields,$ended) = @_;
     my ($user,$domain,$homeserver);
-    my ($blocked,$blocktext) =
-        &Apache::loncommon::blocking_status('passwd');
-    if ($blocked) {
-        $r->print('<p class="LC_warning">'.$blocktext.'</p>');
-        return;
-    }
     if ($caller eq 'reset_by_email') {
         $user       = $env{'form.uname'};
         $domain     = $env{'form.udom'};
@@ -1538,20 +1632,30 @@ sub verify_and_change_password {
             if ($homeserver eq 'no_host') {
         &passwordchanger($r,"<p>\n<span class='LC_error'>".
                          &mt("Invalid username and/or domain")."</span>\n</p>",
-                         $caller,$mailtoken);
-                return 1;
+                         $caller,$mailtoken,$timelimit,$extrafields);
+                return 'no_host';
             }
         } else {
             &passwordchanger($r,"<p>\n<span class='LC_error'>".
                              &mt("Username and domain were blank")."</span>\n</p>",
-                             $caller,$mailtoken);
-            return 1;
+                             $caller,$mailtoken,$timelimit,$extrafields);
+            return 'missingdata';
         }
     } else {
         $user       = $env{'user.name'};
         $domain     = $env{'user.domain'};
         $homeserver = $env{'user.home'};
     }
+    my ($blocked,$blocktext) =
+        &Apache::loncommon::blocking_status('passwd',$user,$domain);
+    if ($blocked) {
+        $r->print('<p class="LC_warning">'.$blocktext.'</p>');
+        if ($caller eq 'reset_by_email') {
+            return 'blocked';
+        } else {
+            return;
+        }
+    }
     my $currentauth=&Apache::lonnet::queryauthenticate($user,$domain);
     # Check for authentication types that allow changing of the password.
     if ($currentauth !~ /^(unix|internal):/) {
@@ -1559,8 +1663,8 @@ sub verify_and_change_password {
             &passwordchanger($r,"<p>\n<span class='LC_error'>".
                              &mt("Authentication type for this user can not be changed by this mechanism").
                              "</span>\n</p>",
-                              $caller,$mailtoken);
-            return 1;
+                              $caller,$mailtoken,$timelimit,$extrafields);
+            return 'otherauth';
         } else {
             return;
         }
@@ -1576,8 +1680,12 @@ sub verify_and_change_password {
 	    defined($newpass2)    ){
 	&passwordchanger($r,"<p>\n<span class='LC_error'>".
 			 &mt("One or more password fields were blank").
-                         "</span>\n</p>",$caller,$mailtoken);
-	return;
+                         "</span>\n</p>",$caller,$mailtoken,$timelimit,$extrafields);
+        if ($caller eq 'reset_by_email') {
+            return 'missingdata';
+        } else {
+            return;
+        }
     }
     # Get the keys
     my $lonhost = $r->dir_config('lonHostID');
@@ -1595,7 +1703,11 @@ sub verify_and_change_password {
 </p>
 ENDERROR
         # Probably should log an error here
-        return 1;
+        if ($caller eq 'reset_by_email') {
+            return 'internalerror';
+        } else {
+            return;
+        }
     }
     my ($ckey,$n1key,$n2key)=split(/&/,$tmpinfo);
     #
@@ -1609,31 +1721,39 @@ ENDERROR
             &passwordchanger($r,
                          '<span class="LC_error">'.
                          &mt('Could not verify current authentication.').'  '.
-                         &mt('Please try again.').'</span>',$caller,$mailtoken);
-            return 1;
+                         &mt('Please try again.').'</span>',$caller,$mailtoken,$timelimit,$extrafields);
+            return 'emptydata';
         }
         if ($currentpass ne $data{'temppasswd'}) {
             &passwordchanger($r,
                          '<span class="LC_error">'.
                          &mt('Could not verify current authentication.').'  '.
-                         &mt('Please try again.').'</span>',$caller,$mailtoken);
-            return 1;
+                         &mt('Please try again.').'</span>',$caller,$mailtoken,$timelimit,$extrafields);
+            return 'missingtemp';
         }
     }
     if ($newpass1 ne $newpass2) {
 	&passwordchanger($r,
 			 '<span class="LC_warning">'.
 			 &mt('The new passwords you entered do not match.').'  '.
-			 &mt('Please try again.').'</span>',$caller,$mailtoken);
-	return 1;
+			 &mt('Please try again.').'</span>',$caller,$mailtoken,$timelimit,$extrafields);
+        if ($caller eq 'reset_by_email') {
+            return 'mismatch';
+        } else {
+            return;
+        }
     }
     if ($currentauth eq 'unix:') {
         if (length($newpass1) < 7) {
             &passwordchanger($r,
                              '<span class="LC_warning">'.
                              &mt('Passwords must be a minimum of 7 characters long.').'  '.
-                             &mt('Please try again.').'</span>',$caller,$mailtoken);
-            return 1;
+                             &mt('Please try again.').'</span>',$caller,$mailtoken,$timelimit,$extrafields);
+            if ($caller eq 'reset_by_email') {
+                return 'length';
+            } else {
+                return;
+            }
         }
     } else {
         my $warning = &Apache::loncommon::check_passwd_rules($domain,$newpass1);
@@ -1641,8 +1761,12 @@ ENDERROR
             &passwordchanger($r,'<span class="LC_warning">'.
                             $warning.
                             &mt('Please try again.').'</span>',
-                            $caller,$mailtoken);
-            return 1;
+                            $caller,$mailtoken,$timelimit,$extrafields);
+            if ($caller eq 'reset_by_email') {
+                return 'rules';
+            } else {
+                return;
+            }
         }
     }
     #
@@ -1662,8 +1786,12 @@ ENDERROR
 ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_\`abcdefghijklmnopqrstuvwxyz{|}~
 </pre></span>
 ENDERROR
-        &passwordchanger($r,$errormessage,$caller,$mailtoken);
-        return 1;
+        &passwordchanger($r,$errormessage,$caller,$mailtoken,$timelimit,$extrafields);
+        if ($caller eq 'reset_by_email') {
+            return 'badchars';
+        } else {
+            return;
+        }
     }
     # 
     # Change the password (finally)
@@ -1686,7 +1814,7 @@ ENDERROR
 	# error error: run in circles, scream and shout
         if ($caller eq 'reset_by_email') {
             if (!$result) {
-                return 1;
+                return 'error';
             } else {
                 return $result;
             }
@@ -2318,7 +2446,7 @@ sub handler {
     }elsif($env{'form.action'} eq 'changepass'){
         &passwordchanger($r);
     }elsif($env{'form.action'} eq 'verify_and_change_pass'){
-        &verify_and_change_password($r,'preferences','',\$ended);
+        &verify_and_change_password($r,'preferences','','','',\$ended);
     }elsif($env{'form.action'} eq 'changescreenname'){
         &screennamechanger($r);
     }elsif($env{'form.action'} eq 'verify_and_change_screenname'){