Make using HIBP configurable (enabled by default)

diff --git a/Classes/class-paneluser.php b/Classes/class-paneluser.php
index 1757e30bdb81b3ec626833ed8a22916c2a87f4c1..7c4390ed200ce86558aacdf3bebc248cbddc6a26 100644 (file)
--- a/Classes/class-paneluser.php
+++ b/Classes/class-paneluser.php
@@ -201,6 +201,8 @@ class PanelUser
         */
        function HIBP($password_hash)
        {
+               if (get_config("hibp") == false)
+                       return;
                $url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5);
                $end = substr($password_hash,5);
                $ch = curl_init($url);

diff --git a/settings/general.php b/settings/general.php
index 125dcf37a8f86ff184f378197b197ad8dd16c21f..f035ba69133fa5bca6f5b720411be91ec4234501 100644 (file)
--- a/settings/general.php
+++ b/settings/general.php
@@ -8,12 +8,18 @@ function _ce($can){
 }
 if (isset($_POST['submit']) && $canEdit)
 {
+    $hibp = (!isset($config['hibp']) || $config['hibp']) ? true : false;
+    $config['hibp'] = isset($_POST['hibp']) ? true : false;
+    if ($config['hibp'] != $hibp) // we just toggled
+        Message::Info("Checking passwords against data breaches is now is now ".(($config['hibp']) ? "enabled" : "disabled"));
+
     $dbug = (isset($config['debug']) && $config['debug']) ? true : false;
-    $config['debug'] = (isset($_POST['debug_mode'])) ? true : false;
+    $config['debug'] = isset($_POST['debug_mode']) ? true : false;
     if ($config['debug'] != $dbug) // we just toggled
         Message::Info("Debug Mode is now ".(($config['debug']) ? "enabled" : "disabled"));
+
     write_config();
-    unset($_POST['debug'], $_POST['submit']);
+    unset($_POST['debug'], $_POST['submit'], $_POST['hibp']);
     Hook::run(HOOKTYPE_GENERAL_SETTINGS_POST, $_POST);
 }
 
@@ -22,7 +28,15 @@ do_log("\$_POST", $_POST);
 <h4>General Settings</h4>
 <br>
 <form method="post">
-<div class="card" style="padding-left:20px;padding-right:20px;padding-top:5px;padding-bottom:10px;max-width:fit-content">
+<div class="card m-1" style="padding-left:20px;padding-right:20px;padding-top:5px;padding-bottom:10px;max-width:fit-content">
+    <h6>Password Data Leak Checks</h6>
+    <div class="custom-control custom-switch">
+        <input name="hibp" type="checkbox" class="custom-control-input" id="hibp" <?php _ce($canEdit); echo (!isset($config['hibp']) || $config['hibp'] == true) ? " checked" : ""; ?>>
+        <label class="custom-control-label" for="hibp">Checks a users password on login against known data leaks (<a href="https://haveibeenpwned.com">Have I Been Pwned</a>)</label>
+    </div>
+    <i>This check is made everytime someone successfully logs into the webpanel or when they update their password.</i>
+</div>
+<div class="card m-1" style="padding-left:20px;padding-right:20px;padding-top:5px;padding-bottom:10px;max-width:fit-content">
     <h6>Debug Mode</h6>
     <div class="custom-control custom-switch">
         <input name="debug_mode" type="checkbox" class="custom-control-input" id="debug_mode" <?php _ce($canEdit); echo ($config['debug'] == true) ? " checked" : ""; ?>>

diff --git a/settings/install.php b/settings/install.php
index c114b5f87433b39a45d2a4fc870d895c18ad7a77..ec05d094a4f1ad5e375378f65112a4444af3ba31 100644 (file)
--- a/settings/install.php
+++ b/settings/install.php
@@ -162,6 +162,9 @@ $writable = (is_writable("../config/")) ? true: false;
                }
                $lkup->add_meta('role', 'Super-Admin');
 
+               /* Enable lookups on HIBP by default */
+               $config['hibp'] = true;
+
                /* Now, write all the config (config.php + settings in DB) */
                write_config();
                ?>