From 25cc00c3b23d9be4cae73277ee030a283e1a6fb2 Mon Sep 17 00:00:00 2001
From: "florian.azizian" <florian.azizian@maarch.org>
Date: Fri, 2 Oct 2020 17:18:50 +0200
Subject: [PATCH] FIX #14788 TIME 0:20 fix bypass password modification rule

---
 apps/maarch_entreprise/index.php                  | 15 +++++++++++++++
 src/core/controllers/AuthenticationController.php |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/apps/maarch_entreprise/index.php b/apps/maarch_entreprise/index.php
index 959a1c20d26..626419d79fd 100755
--- a/apps/maarch_entreprise/index.php
+++ b/apps/maarch_entreprise/index.php
@@ -203,6 +203,21 @@ if (!empty($_REQUEST['page']) && empty($_REQUEST['triggerAngular'])) {
         } else {
             header('location: index.php?display=true&page=logout&logout=true');
         }
+
+        $user = \User\models\UserModel::getByLogin(['login' => $cookie['userId'], 'select' => ['password_modification_date']]);
+        $loggingMethod = \SrcCore\models\CoreConfigModel::getLoggingMethod();
+        if (!in_array($loggingMethod['id'], ['sso', 'cas', 'ldap', 'keycloak', 'shibboleth'])) {
+            $passwordRules = \SrcCore\models\PasswordModel::getEnabledRules();
+            if (!empty($passwordRules['renewal'])) {
+                $currentDate = new \DateTime();
+                $lastModificationDate = new \DateTime($user['password_modification_date']);
+                $lastModificationDate->add(new DateInterval("P{$passwordRules['renewal']}D"));
+    
+                if ($currentDate > $lastModificationDate) {
+                    header('location: index.php?display=true&page=logout&logout=true');
+                }
+            }
+        }
     }
 
     //INSERT PART OF PAGE
diff --git a/src/core/controllers/AuthenticationController.php b/src/core/controllers/AuthenticationController.php
index d401f0b3a12..da14fb15bc0 100755
--- a/src/core/controllers/AuthenticationController.php
+++ b/src/core/controllers/AuthenticationController.php
@@ -65,7 +65,7 @@ class AuthenticationController
         ValidatorModel::stringType($aArgs, ['login', 'currentRoute']);
 
         if ($aArgs['currentRoute'] != '/initialize') {
-            $user = UserModel::getByLogin(['select' => ['status'], 'login' => $aArgs['login']]);
+            $user = UserModel::getByLogin(['select' => ['status', 'password_modification_date'], 'login' => $aArgs['login']]);
 
             if ($user['status'] == 'ABS' && !in_array($aArgs['currentRoute'], ['/users/{id}/status', '/currentUser/profile', '/header', '/passwordRules', '/users/{id}/password'])) {
                 return ['isRouteAvailable' => false, 'errors' => 'User is ABS and must be activated'];
-- 
GitLab