diff options
| author | JoramWilander <jwawilander@gmail.com> | 2015-10-22 10:53:39 -0400 |
|---|---|---|
| committer | JoramWilander <jwawilander@gmail.com> | 2015-10-22 10:53:39 -0400 |
| commit | 4734912c521be4367b1d8ca255cc76c0095839b4 (patch) | |
| tree | 641c4fe0667ddad97cd7ec0a09b4ba3b6441200e | |
| parent | 2d922fde7e33125b55fd70f713c867db89ebfcf5 (diff) | |
| download | chat-4734912c521be4367b1d8ca255cc76c0095839b4.tar.gz chat-4734912c521be4367b1d8ca255cc76c0095839b4.tar.bz2 chat-4734912c521be4367b1d8ca255cc76c0095839b4.zip | |
Prevent users from resetting their password when the user is using SSO
| -rw-r--r-- | api/user.go | 10 | ||||
| -rw-r--r-- | api/user_test.go | 24 | ||||
| -rw-r--r-- | store/sql_user_store.go | 3 |
3 files changed, 36 insertions, 1 deletions
diff --git a/api/user.go b/api/user.go index 0c7278711..5e5ff79f1 100644 --- a/api/user.go +++ b/api/user.go @@ -1241,6 +1241,11 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { user = result.Data.(*model.User) } + if len(user.AuthData) != 0 { + c.Err = model.NewAppError("sendPasswordReset", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id) + return + } + newProps := make(map[string]string) newProps["user_id"] = user.Id newProps["time"] = fmt.Sprintf("%v", model.GetMillis()) @@ -1325,6 +1330,11 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { user = result.Data.(*model.User) } + if len(user.AuthData) != 0 { + c.Err = model.NewAppError("resetPassword", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id) + return + } + if user.TeamId != team.Id { c.Err = model.NewAppError("resetPassword", "Trying to reset password for user on wrong team.", "userId="+user.Id+", teamId="+team.Id) c.Err.StatusCode = http.StatusForbidden diff --git a/api/user_test.go b/api/user_test.go index 77309e5b2..b54e030c5 100644 --- a/api/user_test.go +++ b/api/user_test.go @@ -817,6 +817,16 @@ func TestSendPasswordReset(t *testing.T) { if _, err := Client.SendPasswordReset(data); err == nil { t.Fatal("Should have errored - bad name") } + + user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"} + user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) + store.Must(Srv.Store.User().VerifyEmail(user2.Id)) + + data["email"] = user2.Email + data["name"] = team.Name + if _, err := Client.SendPasswordReset(data); err == nil { + t.Fatal("should have errored - SSO user can't send reset password link") + } } func TestResetPassword(t *testing.T) { @@ -901,6 +911,20 @@ func TestResetPassword(t *testing.T) { if _, err := Client.ResetPassword(data); err == nil { t.Fatal("Should have errored - domain team doesn't match user team") } + + user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"} + user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User) + store.Must(Srv.Store.User().VerifyEmail(user2.Id)) + + data["new_password"] = "newpwd" + props["user_id"] = user2.Id + props["time"] = fmt.Sprintf("%v", model.GetMillis()) + data["data"] = model.MapToJson(props) + data["hash"] = model.HashPassword(fmt.Sprintf("%v:%v", data["data"], utils.Cfg.EmailSettings.PasswordResetSalt)) + data["name"] = team.Name + if _, err := Client.ResetPassword(data); err == nil { + t.Fatal("should have errored - SSO user can't reset password") + } } func TestUserUpdateNotify(t *testing.T) { diff --git a/store/sql_user_store.go b/store/sql_user_store.go index a2b317afa..5fab38ace 100644 --- a/store/sql_user_store.go +++ b/store/sql_user_store.go @@ -125,6 +125,7 @@ func (us SqlUserStore) Update(user *model.User, allowActiveUpdate bool) StoreCha oldUser := oldUserResult.(*model.User) user.CreateAt = oldUser.CreateAt user.AuthData = oldUser.AuthData + user.AuthService = oldUser.AuthService user.Password = oldUser.Password user.LastPasswordUpdate = oldUser.LastPasswordUpdate user.LastPictureUpdate = oldUser.LastPictureUpdate @@ -265,7 +266,7 @@ func (us SqlUserStore) UpdatePassword(userId, hashedPassword string) StoreChanne updateAt := model.GetMillis() - if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil { + if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, FailedAttempts = 0 WHERE Id = :UserId AND AuthData = ''", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil { result.Err = model.NewAppError("SqlUserStore.UpdatePassword", "We couldn't update the user password", "id="+userId+", "+err.Error()) } else { result.Data = userId |