Added warnings/messaging to security install process.

module/VuFind/config/module.config.php

@@ -576,7 +576,8 @@ $staticRoutes = array(
     'Cover/Show', 'Cover/Unavailable', 'Error/Unavailable', 'Help/Home',
     'Install/Done', 'Install/FixBasicConfig', 'Install/FixCache',
     'Install/FixDatabase', 'Install/FixDependencies', 'Install/FixILS',
-    'Install/FixSolr', 'Install/Home', 'Install/ShowSQL', 'Install/FixSecurity',
+    'Install/FixSecurity', 'Install/FixSolr', 'Install/Home',
+    'Install/PerformSecurityFix', 'Install/ShowSQL',
     'MyResearch/Account', 'MyResearch/CheckedOut', 'MyResearch/Delete',
     'MyResearch/DeleteList', 'MyResearch/Edit', 'MyResearch/Email',
     'MyResearch/Export', 'MyResearch/Favorites', 'MyResearch/Fines',

module/VuFind/src/VuFind/Controller/InstallController.php

@@ -636,6 +636,33 @@ class InstallController extends AbstractBase
      * @return mixed
      */
     public function fixsecurityAction()
+    {
+        // If the user doesn't want to proceed, abort now:
+        $userConfirmation = $this->params()->fromPost('fix-user-table', 'Unset');
+        if ($userConfirmation == 'No') {
+            $msg = 'Security upgrade aborted.';
+            $this->flashMessenger()->setNamespace('error')->addMessage($msg);
+            return $this->redirect()->toRoute('install-home');
+        }
+
+        // If we don't need to prompt the user, or if they confirmed, do the fix:
+        $rows = $this->getTable('user')->getInsecureRows();
+        if (count($rows) == 0 || $userConfirmation == 'Yes') {
+            return $this->forwardTo('Install', 'performsecurityfix');
+        }
+
+        // If we got this far, we need to ask permission to proceed:
+        $view = $this->createViewModel();
+        $view->confirmUserFix = true;
+        return $view;
+    }
+
+    /**
+     * Perform fix for Security problems.
+     *
+     * @return mixed
+     */
+    public function performsecurityfixAction()
     {
         // First, set encryption/hashing to true, and set the key
         $config = ConfigReader::getConfig();
@@ -648,13 +675,15 @@ class InstallController extends AbstractBase
             }
 
             // Success? Redirect to this action in order to reload the configuration:
-            return $this->redirect()->toRoute('install-fixsecurity');
+            return $this->redirect()->toRoute('install-performsecurityfix');
         }
 
         // Now we want to loop through the database and update passwords (if
         // necessary).
         $rows = $this->getTable('user')->getInsecureRows();
         if (count($rows) > 0) {
+            // If we got this far, the user POSTed their confirmation -- go ahead
+            // with the fix:
             $bcrypt = new Bcrypt();
             foreach ($rows as $row) {
                 if ($row->password != '') {
@@ -667,6 +696,8 @@ class InstallController extends AbstractBase
                     $row->save();
                 }
             }
+            $msg = count($rows) . ' user row(s) encrypted.';
+            $this->flashMessenger()->setNamespace('info')->addMessage($msg);
         }
         return $this->redirect()->toRoute('install-home');
     }

themes/blueprint/templates/install/fixsecurity.phtml

+<?
+    // Set page title.
+    $this->headTitle($this->translate('auto_configure_title'));
+
+    // Set up breadcrumbs:
+    $this->layout()->breadcrumbs = '<a href="' . $this->url('install-home') .'">' . $this->transEsc('auto_configure_title') . '</a>';
+?>
+<h1><?=$this->transEsc('auto_configure_title')?></h1>
+
+<?=$this->flashmessages()?>
+
+<? if (isset($this->confirmUserFix) && $this->confirmUserFix): ?>
+  <p>You have existing user data in your database containing non-encrypted passwords.</p>
+  <p>If you continue with enabling security, all of your passwords will be hashed and/or encrypted.</p>
+  <p><b>Please make a database backup before proceeding.</b></p>
+  <p>You should <b>NOT</b> turn on encryption if you still wish for your database to be compatible with VuFind 1.x.  If you want
+     to keep the option of being able to roll back to the earlier version, or if you plan on temporarily running 1.x and 2.x in
+     parallel, you should not enable encryption now.
+  </p>
+  <p><i>Do you still wish to proceed with enabling enhanced security in the database?</i></p>
+  <form method="post" action="<?=$this->url('install-fixsecurity')?>">
+    <input type="submit" name="fix-user-table" value="Yes" />
+    <input type="submit" name="fix-user-table" value="No" />
+  </form>
+<? else: ?>
+  <p>No security problems found.</p>
+<? endif; ?>

themes/blueprint/templates/install/home.phtml

@@ -6,6 +6,7 @@
     $this->layout()->breadcrumbs = '<em>' . $this->transEsc('auto_configure_title') . '</em>';
 ?>
 <h1><?=$this->transEsc('auto_configure_title')?></h1>
+<?=$this->flashmessages()?>
 <ul>
   <? $errors = 0; foreach ($this->checks as $check): ?>
     <? if (!$check['status']) $errors++; ?>