From 4734912c521be4367b1d8ca255cc76c0095839b4 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Thu, 22 Oct 2015 10:53:39 -0400
Subject: Prevent users from resetting their password when the user is using
 SSO

---
 api/user.go      | 10 ++++++++++
 api/user_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

(limited to 'api')

diff --git a/api/user.go b/api/user.go
index 0c7278711..5e5ff79f1 100644
--- a/api/user.go
+++ b/api/user.go
@@ -1241,6 +1241,11 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
 		user = result.Data.(*model.User)
 	}
 
+	if len(user.AuthData) != 0 {
+		c.Err = model.NewAppError("sendPasswordReset", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id)
+		return
+	}
+
 	newProps := make(map[string]string)
 	newProps["user_id"] = user.Id
 	newProps["time"] = fmt.Sprintf("%v", model.GetMillis())
@@ -1325,6 +1330,11 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
 		user = result.Data.(*model.User)
 	}
 
+	if len(user.AuthData) != 0 {
+		c.Err = model.NewAppError("resetPassword", "Cannot reset password for SSO accounts", "userId="+user.Id+", teamId="+team.Id)
+		return
+	}
+
 	if user.TeamId != team.Id {
 		c.Err = model.NewAppError("resetPassword", "Trying to reset password for user on wrong team.", "userId="+user.Id+", teamId="+team.Id)
 		c.Err.StatusCode = http.StatusForbidden
diff --git a/api/user_test.go b/api/user_test.go
index 77309e5b2..b54e030c5 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -817,6 +817,16 @@ func TestSendPasswordReset(t *testing.T) {
 	if _, err := Client.SendPasswordReset(data); err == nil {
 		t.Fatal("Should have errored - bad name")
 	}
+
+	user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
+	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
+
+	data["email"] = user2.Email
+	data["name"] = team.Name
+	if _, err := Client.SendPasswordReset(data); err == nil {
+		t.Fatal("should have errored - SSO user can't send reset password link")
+	}
 }
 
 func TestResetPassword(t *testing.T) {
@@ -901,6 +911,20 @@ func TestResetPassword(t *testing.T) {
 	if _, err := Client.ResetPassword(data); err == nil {
 		t.Fatal("Should have errored - domain team doesn't match user team")
 	}
+
+	user2 := &model.User{TeamId: team.Id, Email: strings.ToLower(model.NewId()) + "corey@test.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
+	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
+
+	data["new_password"] = "newpwd"
+	props["user_id"] = user2.Id
+	props["time"] = fmt.Sprintf("%v", model.GetMillis())
+	data["data"] = model.MapToJson(props)
+	data["hash"] = model.HashPassword(fmt.Sprintf("%v:%v", data["data"], utils.Cfg.EmailSettings.PasswordResetSalt))
+	data["name"] = team.Name
+	if _, err := Client.ResetPassword(data); err == nil {
+		t.Fatal("should have errored - SSO user can't reset password")
+	}
 }
 
 func TestUserUpdateNotify(t *testing.T) {
-- 
cgit v1.2.3-1-g7c22