UserSpice Forum Archive
This forum is archived. Posts are preserved for historical reference. For current help, join us on Discord.

Confirm Admin Password

In Modifications and Hackery · Started by Brandin on 2017-01-15 9:18 pm · 134918 views · 57 replies

Posted 2017-01-15 9:18 pm
Hey!

Do you know how we can implement a "confirm your password" when access admin pages? e.g. admin_users.php admin_pages.php

I often leave my work computer unlocked which is where I access my stuff, and I don't have an audit setup on settings yet so if something happened in the settings I would never know.

Thank you!
Posted 2017-01-15 9:19 pm
Also, I would like this to be session related, so that you don't have to do it every time you visit the admin pages, but like every, idk, hour or so the session for admin times out, but doesn't log you out of the rest of the system.
Posted 2017-01-15 9:40 pm
Below is some very rough guidance but it is a point in the right direction.

I think the simplest way to do this would be to add a column to the users table called last_confirm or something like that and set it as timestamp.

Then on the pages you want to affirm password do something along the lines of wrapping the entire page in an if statement checking for the timestamp being within the limit)

You'll have to double check online how to subtract one timestamp from another

But from there you do 
$current=date("Y-m-d h:i:s");
if ($user->data()->last_confirm - $current > 30//whatever the logic){

//make a form with a password input

//on subimit check 
$password=Input::get('password');
if (password_verify($password,$this->data()->password)) {
$fields = (
'last_confirm' => $current,
);
$db->update('users',$users->data()->id,$fields);
} else {
die('Incorrect password!');
}
Posted 2017-01-15 10:50 pm
What do you think about having a file called, idk, verify.php and wrapping the pages with IF, and IF whatever value is true it pulls all the other stuff (form and submit) from the verify.php page, then I wouldn't have to spend a LOT of time editing all of the pages.
Posted 2017-01-16 1:20 pm
Brandin,

Could you not define this check in a function so you just need to add 2 lines to the top of each page and save wrapping every page in an if:

//include location to file with function defined
if(!verfifyadmin(){
//example function name
Redirect::to('usersc/adminconfirm.php);
}

Twist on a previous suggestion from Mudmin on another post. Hope this helps.
Posted 2017-01-16 1:32 pm
Hmmmm....that seems like it would work. Mudmin, do you think this would work well? What would I call in the function, what you put up above? Could I call this from custom functions??

Thanks.
Posted 2017-01-16 2:07 pm
I believe you would need to swap the operator around so would be some like:

//in custom functions
public static function verifyadmin() {
$current=date("Y-m-d h:i:s");
if ($user->data()->last_confirm - $current < 30//whatever the logic){
return true;
} else {
return false;
}
}

Then you would have the password form and submit check on the page you have been redirected to.
I think this is all correct but will wait for Mudmin's input.
Posted 2017-01-16 2:08 pm
Thanks for this Sabr! I'm about to be off for two days so I will give it a shot! :)
Posted 2017-01-16 2:49 pm
Yep. Sorry about that. I usually try to post full solutions but I was in the middle of something on that one, so you got the quick and dirty version. Nice job.
Posted 2017-01-16 2:51 pm
No problem haha! I will try to slap it in later!
Posted 2017-01-19 1:55 am
Hey, right now I'm working on the verification page only, just to make sure it works, but it's pushing a fatal error:
Fatal error: Using $this when not in object context in /home/aircentralized/public_html/boss/usersc/adminverify.php on line 37

https://hastebin.com/wulusunona.xml
Posted 2017-01-19 2:34 am
While I was waiting for an answer I decided to work with the function part of it...I got the function in custom functions, however it produces an error in any of these circumstances:

Line 1 is:
-public static function - produces unexpected public
-static function - produces unexpected verifyadmin
-function - produces undefined constant of verifyadmin (from the PHP file - not from customfunctions)

Thoughts?

Another thing I need to verify is how to obtain the referring URL to redirect BACK to that page if verification succeeds.

Thanks guys!
Posted 2017-01-19 12:20 pm
a rough guess would be to change 
if (password_verify($password,$this->data()->password)) {
to 
if (password_verify($password,$user->data()->password)) {

Can you paste your function code please.

as for url redirect I would reuse some of the code in login.php to handle a redirect if admin was accessing an admin page.
I believe this would be included in your function.
Posted 2017-01-19 3:30 pm
We're getting somewhere. Works for bad passwords. But for good passwords it produces:
Notice: Undefined variable: users in /home/aircentralized/public_html/boss/usersc/adminverify.php on line 41
Fatal error: Call to a member function data() on null in /home/aircentralized/public_html/boss/usersc/adminverify.php on line 41

function:
https://hastebin.com/alayofutax.php

I'm also struggling to get the timestamps to subtract. I did almost an hours worth of research last night and no luck. I'm wondering if maybe an easier method would be to run a cron every half hour that clears the value in last_verified = 1, it redirects you? I think the timestamp is my best option but I really can't figure it out gah!

Thanks for your help guys, I'm excited for this!
Posted 2017-01-19 3:44 pm
I think I noticed in one of your hastebins that you had $users->data() instead of $user->data somewhere. You might want to do a search for that.
Posted 2017-01-19 3:45 pm
Seems like the $users variable is not being passed through the chain. There is some US functions/methods which can be used. Will need to look into it though.

Quickly I can see the is an error in the time format when defining $current, I believe it is an error anyway, should it not be 
h:i:s
instead of 
hi:i:s
? typo :) ?
I had a look at timestamp stuff last night and remember seeing what you are looking for. I will send you something this evening for the timestamp check, you cannot treat it like a standard equation.

Posted 2017-01-19 5:31 pm
I did notice the typo before and corrected that, sorry about that. Correcting 
users
to 
user
fixed the issue of updating the DB. My only concern now is getting the function to work, and do the math correctly. This is the function I have:

https://hastebin.com/anifukalaw.php

I've been playing around with the query just in a regular page and echoing the results so I can see if they work, and I have had no success.

Thanks for your guys' help!
Posted 2017-01-20 9:06 am
Quick update, I spent a few hours last night looking at this and got very frustrated but I seem to be getting towards a solution. I hope to do some more investigation and testing before I can confidently send you something to use.
Posted 2017-01-20 2:02 pm
I hear ya on that! I spent like 5 hours trying to test it out and I just can't get it! I'm stumped! It shouldn't be this hard!
Posted 2017-01-20 3:27 pm
Where are you guys at with this? What's stumping you?
123Next ›