From 474197269ebd2a1637e3661199877772cae1379d Mon Sep 17 00:00:00 2001
From: SilverFire - Dmitry Naumenko <d.naumenko.a@gmail.com>
Date: Thu, 29 Nov 2018 14:34:11 +0200
Subject: [PATCH] Prevent password reset when login form is disabled or either
 LDAP or Auth Proxy is enabled

---
 pkg/api/password.go                     | 8 ++++++++
 public/app/partials/reset_password.html | 9 ++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/pkg/api/password.go b/pkg/api/password.go
index 7dd901c898e..4776c6a3064 100644
--- a/pkg/api/password.go
+++ b/pkg/api/password.go
@@ -4,10 +4,18 @@ import (
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
 
 func SendResetPasswordEmail(c *m.ReqContext, form dtos.SendResetPasswordEmailForm) Response {
+	if setting.LdapEnabled || setting.AuthProxyEnabled {
+		return Error(401, "Not allowed to reset password when LDAP or Auth Proxy is enabled", nil)
+	}
+	if setting.DisableLoginForm {
+		return Error(401, "Not allowed to reset password when login form is disabled", nil)
+	}
+
 	userQuery := m.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail}
 
 	if err := bus.Dispatch(&userQuery); err != nil {
diff --git a/public/app/partials/reset_password.html b/public/app/partials/reset_password.html
index 138aa1b7c62..bba38af0235 100644
--- a/public/app/partials/reset_password.html
+++ b/public/app/partials/reset_password.html
@@ -3,7 +3,14 @@
 <div class="page-container page-body">
 	<div class="signup">
 		<h3 class="p-b-1">Reset password</h3>
-		<form name="sendResetForm" class="login-form gf-form-group" ng-show="mode === 'send'">
+
+		<div ng-if="ldapEnabled || authProxyEnabled">
+			You cannot reset password when LDAP or Auth Proxy authentication is enabled.
+		</div>
+		<div ng-if="disableLoginForm">
+			You cannot reset password when login form is disabled.
+		</div>
+		<form name="sendResetForm" class="login-form gf-form-group" ng-show="mode === 'send'" ng-hide="ldapEnabled || authProxyEnabled || disableLoginForm">
 			<div class="gf-form">
 					<span class="gf-form-label width-7">User</span>
 					<input type="text" name="username" class="gf-form-input max-width-14" required ng-model='formModel.userOrEmail' placeholder="email or username">