mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
Prevent users from resetting their password when the user is using SSO
This commit is contained in:
JoramWilander
10
api/user.go
10
api/user.go
@@ -1241,6 +1241,11 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
user = result.Data.(*model.User)
|
||||
}
|
||||
|
||||
if len(user.AuthData) != 0 {
|
||||
c.Err = model.NewAppError("sendPasswordReset", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id)
|
||||
return
|
||||
}
|
||||
|
||||
newProps := make(map[string]string)
|
||||
newProps["user_id"] = user.Id
|
||||
newProps["time"] = fmt.Sprintf("%v", model.GetMillis())
|
||||
@@ -1325,6 +1330,11 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
|
||||
user = result.Data.(*model.User)
|
||||
}
|
||||
|
||||
if len(user.AuthData) != 0 {
|
||||
c.Err = model.NewAppError("resetPassword", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id)
|
||||
return
|
||||
}
|
||||
|
||||
if user.TeamId != team.Id {
|
||||
c.Err = model.NewAppError("resetPassword", "Trying to reset password for user on wrong team.", "userId="+user.Id+", teamId="+team.Id)
|
||||
c.Err.StatusCode = http.StatusForbidden
|
||||
|
||||
@@ -817,6 +817,16 @@ func TestSendPasswordReset(t *testing.T) {
|
||||
if _, err := Client.SendPasswordReset(data); err == nil {
|
||||
t.Fatal("Should have errored - bad name")
|
||||
}
|
||||
|
||||
user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
|
||||
user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
|
||||
store.Must(Srv.Store.User().VerifyEmail(user2.Id))
|
||||
|
||||
data["email"] = user2.Email
|
||||
data["name"] = team.Name
|
||||
if _, err := Client.SendPasswordReset(data); err == nil {
|
||||
t.Fatal("should have errored - SSO user can't send reset password link")
|
||||
}
|
||||
}
|
||||
|
||||
func TestResetPassword(t *testing.T) {
|
||||
@@ -901,6 +911,20 @@ func TestResetPassword(t *testing.T) {
|
||||
if _, err := Client.ResetPassword(data); err == nil {
|
||||
t.Fatal("Should have errored - domain team doesn't match user team")
|
||||
}
|
||||
|
||||
user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
|
||||
user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
|
||||
store.Must(Srv.Store.User().VerifyEmail(user2.Id))
|
||||
|
||||
data["new_password"] = "newpwd"
|
||||
props["user_id"] = user2.Id
|
||||
props["time"] = fmt.Sprintf("%v", model.GetMillis())
|
||||
data["data"] = model.MapToJson(props)
|
||||
data["hash"] = model.HashPassword(fmt.Sprintf("%v:%v", data["data"], utils.Cfg.EmailSettings.PasswordResetSalt))
|
||||
data["name"] = team.Name
|
||||
if _, err := Client.ResetPassword(data); err == nil {
|
||||
t.Fatal("should have errored - SSO user can't reset password")
|
||||
}
|
||||
}
|
||||
|
||||
func TestUserUpdateNotify(t *testing.T) {
|
||||
|
||||
@@ -125,6 +125,7 @@ func (us SqlUserStore) Update(user *model.User, allowActiveUpdate bool) StoreCha
|
||||
oldUser := oldUserResult.(*model.User)
|
||||
user.CreateAt = oldUser.CreateAt
|
||||
user.AuthData = oldUser.AuthData
|
||||
user.AuthService = oldUser.AuthService
|
||||
user.Password = oldUser.Password
|
||||
user.LastPasswordUpdate = oldUser.LastPasswordUpdate
|
||||
user.LastPictureUpdate = oldUser.LastPictureUpdate
|
||||
@@ -265,7 +266,7 @@ func (us SqlUserStore) UpdatePassword(userId, hashedPassword string) StoreChanne
|
||||
|
||||
updateAt := model.GetMillis()
|
||||
|
||||
if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
|
||||
if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, FailedAttempts = 0 WHERE Id = :UserId AND AuthData = ''", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
|
||||
result.Err = model.NewAppError("SqlUserStore.UpdatePassword", "We couldn't update the user password", "id="+userId+", "+err.Error())
|
||||
} else {
|
||||
result.Data = userId
|
||||
|
||||
Reference in New Issue
Block a user