function services_security_form_decision in Services 7.3
2 string references to 'services_security_form_decision'
- services_security_admin_form in ./services.admin.inc
- services_security_form_confirm_submit in ./services.admin.inc
File
- ./services.admin.inc, line 20
Code
function services_security_form_decision($form, &$form_state) {
$values = '';
if (!empty($form_state['storage'])) {
$values = $form_state['storage'];
}
$notice = '<div style="color:red;"><strong>A Services security update mitigation step has already been run on this site.</strong></div>';
$services_security_update = variable_get('services_security_update_1', FALSE);
if (!$services_security_update) {
$notice = '';
}
$form['markup'] = array(
'#markup' => $notice . 'Due to a bug in services, user accounts registered through services\' user_resource have been created with the password "1" since August 2013.
<p>Services provides the following options to mitigate this vulnerability on your site:
<ol>
<li>Invalidate the password of all user accounts that have been registered after this bug was introduced. This will force all users who registered after August 30th, 2013 to reset their password, regardless of how those accounts were created. <strong>This is the safest option</strong>.</li>
<li>Invalidate the password of all user accounts which currently have their password set to "1". This will require users who attempted to register to reset their password.
This option will take a long time to run especially if you have a lot of users on your site.
<strong style="color:red;">This option may not be effective from a security perspective because an attacker may have already changed passwords to something other than "1".</strong></li>
<li>Do nothing.</li>
</ol>
</p>
<p>There are many reasons why the third option (do nothing) would be suitable to you:
<ol>
<li>Services User Resource was never enabled</li>
<li>Anonymous users did not have permission to register</li>
<li>A custom/contrib resource was enabled that users used in order to register</li>
<li>You have an SSO provider and users do not register through Services</li>
<li>Users were never registered through Services because the API was not public</li>
<li>You were using a version of Services older than 7.x-3.6 and never used Services 7.x-3.6 on your site.</li>
</ol>
</p>
<p><strong>Things you should do as general best practices:</strong>
<ol>
<li>Check all accounts that have administrator access and verify they are accounts you know. If not, its recommended to disable those accounts</li>
<li>If you choose option 1 or 2 you should let your users know that they will need to request a password reset via the regular form at user/password.</li>
</ol></p>',
);
$form['fieldset'] = array(
'#type' => 'fieldset',
'#title' => t('I understand. Let\'s do something about it!'),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['fieldset']['security_options'] = array(
'#type' => 'radios',
'#title' => t('Please select from the following options'),
'#options' => array(
t('Invalidate password of all user accounts created after August 30th, 2013 (safest)'),
t('Invalidate password of all user accounts with a password of "1".'),
t('Do nothing'),
),
'#default_value' => isset($values['security_options']) ? $values['security_options'] : 2,
'#required' => TRUE,
);
$form['fieldset']['submit'] = array(
'#type' => 'submit',
'#value' => t('Submit'),
);
if (isset($form_state['decided_security_option'])) {
unset($form['fieldset']);
}
return $form;
}
