You are here

Home » API reference » Password Policy 7.2 » password_policy.module

function password_policy_ajax_check in Password Policy 7.2

AJAX callback to check password against applicable policies.

1 string reference to 'password_policy_ajax_check'
password_policy_menu in ./password_policy.module
Implements hook_menu().

File

./password_policy.module, line 27
Enforces password policies.

Code

function password_policy_ajax_check() {

  // Decode password which javascript ran encodeURIComponent.
  // The password will not be displayed, so there is no need to filter it with
  // check_plain() or filter_xss() as suggested by Coder.
  // @ignore security_17
  if (isset($_POST['password'])) {
    $untrimmed_password = rawurldecode($_POST['password']);

    // Trim the password before checking against policies, since Drupal will
    // trim passwords before saving them.
    $password = trim($untrimmed_password);
    $is_trimmed = $password !== $untrimmed_password;

    // Determine whether password is all spaces.  If it is empty string after
    // trimming, it was all spaces.
    $is_all_spaces = $is_trimmed && $password === '';
    if ($is_all_spaces) {
      return drupal_json_output(array(
        'message' => t('Password is all spaces and will not be saved.'),
        'strength' => 0,
        'indicatorText' => '',
      ));
    }

    // Do not process overlong passwords to avoid potential DoS.
    // Drupal core does not allow passwords over a certain number of bytes, so
    // impose the same limitation.
    if (_password_policy_is_password_too_long($password)) {
      return drupal_json_output(array(
        'message' => t('Password exceeds maximum length. Please choose a shorter password.'),
        'strength' => 0,
        'indicatorText' => '',
      ));
    }

    // Using this user is not always going to work.
    global $user;
    $account = $user;
    password_policy_user_load(array(
      $account->uid => $account,
    ));
    $policies = PasswordPolicy::matchedPolicies($account);

    // Exit prematurely if no policies are usable.
    if (count($policies) == 0) {
      return;
    }
    $total = 0;
    $errors = array();
    foreach ($policies as $policy) {
      $total += count($policy
        ->messages());
      $errors = array_merge($errors, $policy
        ->check($password, $account));
    }
    $sus_count = $total - count($errors);
    $score = $sus_count / $total * 100;
    $msg = '';
    if (!empty($errors)) {
      $msg .= t('Password does not meet the following requirements:');
      $msg .= theme('item_list', array(
        'items' => $errors,
      ));
      if ($is_trimmed) {
        $msg .= t('Password has spaces at the beginning or end which are ignored.');
      }
    }
    $return = array(
      'message' => $msg,
      'strength' => $score,
      'indicatorText' => t('@sus_count of @total', array(
        '@sus_count' => $sus_count,
        '@total' => $total,
      )),
    );
    drupal_json_output($return);
  }
}