fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth proxy is enabled, fixes #2495, do not allow user to change email or username depending on what property auth proxy is using, fixes #6903

2025-02-25 18:55:37 -06:00 · 2016-12-14 22:19:25 +01:00 · 2016-12-14 22:19:25 +01:00 · 8fc6e4cfb0
commit 8fc6e4cfb0
parent df562e23cf
4 changed files with 24 additions and 2 deletions
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@ -139,6 +139,7 @@ func getFrontendSettingsMap(c *middleware.Context) (map[string]interface{}, erro
 		"appSubUrl":         setting.AppSubUrl,
 		"allowOrgCreate":    (setting.AllowUserOrgCreate && c.IsSignedIn) || c.IsGrafanaAdmin,
 		"authProxyEnabled":  setting.AuthProxyEnabled,
+		"ldapEnabled":       setting.LdapEnabled,
 		"buildInfo": map[string]interface{}{
 			"version":       setting.BuildVersion,
 			"commit":        setting.BuildCommit,
--- a/pkg/api/user.go
+++ b/pkg/api/user.go
@ -30,6 +30,14 @@ func getUserUserProfile(userId int64) Response {

 // POST /api/user
 func UpdateSignedInUser(c *middleware.Context, cmd m.UpdateUserCommand) Response {
+	if setting.AuthProxyEnabled {
+		if setting.AuthProxyHeaderProperty == "email" && cmd.Email != c.Email {
+			return ApiError(400, "Not allowed to change email when auth proxy is using email property", nil)
+		}
+		if setting.AuthProxyHeaderProperty == "username" && cmd.Login != c.Login {
+			return ApiError(400, "Not allowed to change username when auth proxy is using username property", nil)
+		}
+	}
 	cmd.UserId = c.UserId
 	return handleUpdateUser(cmd)
 }
@ -146,6 +154,10 @@ func ChangeActiveOrgAndRedirectToHome(c *middleware.Context) {
 }

 func ChangeUserPassword(c *middleware.Context, cmd m.ChangeUserPasswordCommand) Response {
+	if setting.LdapEnabled || setting.AuthProxyEnabled {
+		return ApiError(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil)
+	}
+
 	userQuery := m.GetUserByIdQuery{Id: c.UserId}

 	if err := bus.Dispatch(&userQuery); err != nil {
--- a/public/app/features/org/change_password_ctrl.js
+++ b/public/app/features/org/change_password_ctrl.js
@ -2,7 +2,7 @@ define([
  'angular',
  'app/core/config',
 ],
-function (angular) {
+function (angular, config) {
  'use strict';

  var module = angular.module('grafana.controllers');
@ -10,6 +10,8 @@ function (angular) {
  module.controller('ChangePasswordCtrl', function($scope, backendSrv, $location) {

    $scope.command = {};
+    $scope.authProxyEnabled = config.authProxyEnabled;
+    $scope.ldapEnabled = config.ldapEnabled;

    $scope.changePassword = function() {
      if (!$scope.userForm.$valid) { return; }
--- a/public/app/features/org/partials/change_password.html
+++ b/public/app/features/org/partials/change_password.html
@ -6,7 +6,14 @@
 		<h1>Change password</h1>
 	</div>

-	<form name="userForm" class="gf-form-group">
+	<div ng-if="ldapEnabled || authProxyEnabled">
+		You cannot change password when ldap or auth proxy authentication is enabled.
+		<br>
+		<br>
+		<a class="btn-text" href="profile">Back to profile</a>
+	</div>
+
+	<form name="userForm" class="gf-form-group" ng-hide="ldapEnabled || authProxyEnabled">
 		<div class="gf-form">
 			<span class="gf-form-label width-10">Old Password</span>
 			<input class="gf-form-input max-width-21" type="password" required ng-model="command.oldPassword">