Merge branch 'release-3.0'

5 files changed, 27 insertions, 17 deletions

diff --git a/api/admin_test.go b/api/admin_test.go
index 933c3d59c..f3d3ec4ed 100644
--- a/api/admin_test.go
+++ b/api/admin_test.go
@@ -457,7 +457,8 @@ func TestAdminResetPassword(t *testing.T) {
 		t.Fatal("Should have errored - password too short")
 	}
 
-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
diff --git a/api/authentication.go b/api/authentication.go
index 10ed578e1..9243947ad 100644
--- a/api/authentication.go
+++ b/api/authentication.go
@@ -39,17 +39,17 @@ func checkUserPassword(user *model.User, password string) *model.AppError {
 	}
 }
 
-func checkLdapUserPasswordAndAllCriteria(ldapId, password, mfaToken string) (*model.User, *model.AppError) {
+func checkLdapUserPasswordAndAllCriteria(ldapId *string, password string, mfaToken string) (*model.User, *model.AppError) {
 	ldapInterface := einterfaces.GetLdapInterface()
 
-	if ldapInterface == nil {
+	if ldapInterface == nil || ldapId == nil {
 		err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "")
 		err.StatusCode = http.StatusNotImplemented
 		return nil, err
 	}
 
 	var user *model.User
-	if ldapUser, err := ldapInterface.DoLogin(ldapId, password); err != nil {
+	if ldapUser, err := ldapInterface.DoLogin(*ldapId, password); err != nil {
 		err.StatusCode = http.StatusUnauthorized
 		return nil, err
 	} else {
diff --git a/api/oauth.go b/api/oauth.go
index 0375f4e6f..37ca5ce0a 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -600,8 +600,11 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	} else {
 		ssoUser := provider.GetUserFromJson(userData)
-		authData = ssoUser.AuthData
 		ssoEmail = ssoUser.Email
+
+		if ssoUser.AuthData != nil {
+			authData = *ssoUser.AuthData
+		}
 	}
 
 	if len(authData) == 0 {
@@ -628,7 +631,7 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	}
 
-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, authData, ssoEmail); result.Err != nil {
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, &authData, ssoEmail); result.Err != nil {
 		c.Err = result.Err
 		return
 	}
diff --git a/api/user.go b/api/user.go
index c53a643c7..9e93ae779 100644
--- a/api/user.go
+++ b/api/user.go
@@ -494,8 +494,11 @@ func getUserForLogin(loginId string, onlyLdap bool) (*model.User, *model.AppErro
 		*utils.Cfg.EmailSettings.EnableSignInWithUsername && !onlyLdap,
 		*utils.Cfg.EmailSettings.EnableSignInWithEmail && !onlyLdap,
 		ldapAvailable,
-	); result.Err != nil {
-
+	); result.Err != nil && result.Err.Id == "store.sql_user.get_for_login.multiple_users" {
+		// don't fall back to LDAP in this case since we already know there's an LDAP user, but that it shouldn't work
+		result.Err.StatusCode = http.StatusBadRequest
+		return nil, result.Err
+	} else if result.Err != nil {
 		if !ldapAvailable {
 			// failed to find user and no LDAP server to fall back on
 			result.Err.StatusCode = http.StatusBadRequest
@@ -535,7 +538,7 @@ func LoginByOAuth(c *Context, w http.ResponseWriter, r *http.Request, service st
 	}
 
 	var user *model.User
-	if result := <-Srv.Store.User().GetByAuth(authData, service); result.Err != nil {
+	if result := <-Srv.Store.User().GetByAuth(&authData, service); result.Err != nil {
 		if result.Err.Id == store.MISSING_AUTH_ACCOUNT_ERROR {
 			return CreateOAuthUser(c, w, r, service, bytes.NewReader(buf.Bytes()), "")
 		}
@@ -1289,7 +1292,8 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
 		}
 
 		rusers[0].Password = ""
-		rusers[0].AuthData = ""
+		rusers[0].AuthData = new(string)
+		*rusers[0].AuthData = ""
 		w.Write([]byte(rusers[0].ToJson()))
 	}
 }
@@ -1337,7 +1341,7 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	user := result.Data.(*model.User)
 
-	if user.AuthData != "" {
+	if user.AuthData != nil && *user.AuthData != "" {
 		c.LogAudit("failed - tried to update user password who was logged in through oauth")
 		c.Err = model.NewLocAppError("updatePassword", "api.user.update_password.oauth.app_error", nil, "auth_service="+user.AuthService)
 		c.Err.StatusCode = http.StatusBadRequest
@@ -1653,7 +1657,7 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
 		user = result.Data.(*model.User)
 	}
 
-	if len(user.AuthData) != 0 {
+	if user.AuthData != nil && len(*user.AuthData) != 0 {
 		c.Err = model.NewLocAppError("sendPasswordReset", "api.user.send_password_reset.sso.app_error", nil, "userId="+user.Id)
 		return
 	}
@@ -1749,7 +1753,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError {
 		user = result.Data.(*model.User)
 	}
 
-	if len(user.AuthData) != 0 && !c.IsSystemAdmin() {
+	if user.AuthData != nil && len(*user.AuthData) != 0 && !c.IsSystemAdmin() {
 		return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id)
 
 	}
@@ -2148,13 +2152,13 @@ func ldapToEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	ldapInterface := einterfaces.GetLdapInterface()
-	if ldapInterface == nil {
+	if ldapInterface == nil || user.AuthData == nil {
 		c.Err = model.NewLocAppError("ldapToEmail", "api.user.ldap_to_email.not_available.app_error", nil, "")
 		c.Err.StatusCode = http.StatusNotImplemented
 		return
 	}
 
-	if err := ldapInterface.CheckPassword(user.AuthData, ldapPassword); err != nil {
+	if err := ldapInterface.CheckPassword(*user.AuthData, ldapPassword); err != nil {
 		c.LogAuditWithUserId(user.Id, "fail - ldap authentication failed")
 		c.Err = err
 		return
diff --git a/api/user_test.go b/api/user_test.go
index 9dd57dc20..c34d32c11 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -1109,7 +1109,8 @@ func TestSendPasswordReset(t *testing.T) {
 		t.Fatal("Should have errored - bad email")
 	}
 
-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
@@ -1178,7 +1179,8 @@ func TestResetPassword(t *testing.T) {
 		recovery = result.Data.(*model.PasswordRecovery)
 	}
 
-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", "1", ""); result.Err != nil {
+	authData := model.NewId()
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, ""); result.Err != nil {
 		t.Fatal(result.Err)
 	}