add check on server to prevent password updating for users who log in through oauth

author: JoramWilander <jwawilander@gmail.com> 2015-07-22 15:36:58 -0400
committer: JoramWilander <jwawilander@gmail.com> 2015-07-22 15:36:58 -0400
commit: dd970604d1790aa8b35a42862bace300c601f325 (patch)
tree: b9f8fef0f27e24e7eb47b45529426b702750f22c /api/user.go
parent: 56a0a7d1e1fbd9405559a9c6e32962155d9cc562 (diff)
download: chat-dd970604d1790aa8b35a42862bace300c601f325.tar.gz
chat-dd970604d1790aa8b35a42862bace300c601f325.tar.bz2
chat-dd970604d1790aa8b35a42862bace300c601f325.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/api/user.go b/api/user.go
index 7a688f28b..03f8b9e3e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -821,6 +821,13 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	tchan := Srv.Store.Team().Get(user.TeamId)
 
+	if user.AuthData != "" {
+		c.LogAudit("failed - tried to update user password who was logged in through oauth")
+		c.Err = model.NewAppError("updatePassword", "Update password failed because the user is logged in through an OAuth service", "auth_service="+user.AuthService)
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
+
 	if !model.ComparePassword(user.Password, currentPassword) {
 		c.Err = model.NewAppError("updatePassword", "Update password failed because of invalid password", "")
 		c.Err.StatusCode = http.StatusForbidden
author	JoramWilander <jwawilander@gmail.com>	2015-07-22 15:36:58 -0400
committer	JoramWilander <jwawilander@gmail.com>	2015-07-22 15:36:58 -0400
commit	dd970604d1790aa8b35a42862bace300c601f325 (patch)
tree	b9f8fef0f27e24e7eb47b45529426b702750f22c /api/user.go
parent	56a0a7d1e1fbd9405559a9c6e32962155d9cc562 (diff)
download	chat-dd970604d1790aa8b35a42862bace300c601f325.tar.gz chat-dd970604d1790aa8b35a42862bace300c601f325.tar.bz2 chat-dd970604d1790aa8b35a42862bace300c601f325.zip