From 1f8f6fd653845be98f32b792e7cb99bdf964514d Mon Sep 17 00:00:00 2001 From: SinergiaCRM Date: Wed, 4 Dec 2024 17:09:53 +0000 Subject: [PATCH] Fix #10591 - System-generated password does not meet Password Security Settings --- modules/Users/User.php | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/modules/Users/User.php b/modules/Users/User.php index 851ced158eb..33219c7be35 100755 --- a/modules/Users/User.php +++ b/modules/Users/User.php @@ -2272,19 +2272,45 @@ public static function generatePassword() $NUMBER = "0123456789"; $UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $SPECIAL = '~!@#$%^&*()_+=-{}|'; - $condition = 0; + + // Get password requirements + $length = 6; + if (isset($res['minpwdlength']) && is_numeric($res['minpwdlength']) && $res['minpwdlength'] > $length) { + $length = $res['minpwdlength']; + } + $charBKT .= $UPPERCASE . $LOWERCASE . $NUMBER; + $requirements = []; $password = ""; - $length = '6'; - // Create random characters for the ones that doesnt have requirements - for ($i = 0; $i < $length - $condition; $i++) { // loop and create password - $password = $password . substr($charBKT, mt_rand() % strlen($charBKT), 1); + // Set one Upper, Lower, Number or Special if are required + if (isset($res['oneupper']) && $res['oneupper']) { + $requirements[] = $UPPERCASE[mt_rand(0, strlen($UPPERCASE) - 1)]; + } + if (isset($res['onelower']) && $res['onelower']) { + $requirements[] = $LOWERCASE[mt_rand(0, strlen($LOWERCASE) - 1)]; + } + if (isset($res['onenumber']) && $res['onenumber']) { + $requirements[] = $NUMBER[mt_rand(0, strlen($NUMBER) - 1)]; + } + if (isset($res['onespecial']) && $res['onespecial']) { + $requirements[] = $SPECIAL[mt_rand(0, strlen($SPECIAL) - 1)]; + $charBKT .= $SPECIAL; + } + $password .= implode('', $requirements); + + // Create other random characters + for ($i = 0; $i < $length - count($requirements); $i++) { // loop and create password + $password .= $charBKT[mt_rand(0, strlen($charBKT) - 1)]; } + // Shuffle password characters + $password = str_shuffle($password); + return $password; } + /** * Send new password or link to user *