mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-07 03:22:21 +03:00
Check Old Password on Password Change
Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
This commit is contained in:
parent
192086bd98
commit
110a5be253
@ -594,28 +594,32 @@ User = ghostBookshelf.Model.extend({
|
|||||||
var self = this,
|
var self = this,
|
||||||
newPassword = object.newPassword,
|
newPassword = object.newPassword,
|
||||||
ne2Password = object.ne2Password,
|
ne2Password = object.ne2Password,
|
||||||
userId = object.user_id,
|
userId = parseInt(object.user_id),
|
||||||
oldPassword = object.oldPassword,
|
oldPassword = object.oldPassword,
|
||||||
user;
|
user;
|
||||||
|
|
||||||
|
// If the two passwords do not match
|
||||||
if (newPassword !== ne2Password) {
|
if (newPassword !== ne2Password) {
|
||||||
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch')));
|
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch')));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If the old password is empty when changing current user's password
|
||||||
if (userId === options.context.user && _.isEmpty(oldPassword)) {
|
if (userId === options.context.user && _.isEmpty(oldPassword)) {
|
||||||
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordRequiredForOperation')));
|
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordRequiredForOperation')));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If password is not complex enough
|
||||||
if (!validatePasswordLength(newPassword)) {
|
if (!validatePasswordLength(newPassword)) {
|
||||||
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
|
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
|
||||||
}
|
}
|
||||||
|
|
||||||
return self.forge({id: userId}).fetch({require: true}).then(function then(_user) {
|
return self.forge({id: userId}).fetch({require: true}).then(function then(_user) {
|
||||||
user = _user;
|
user = _user;
|
||||||
|
// If the user is the current user, check old password
|
||||||
if (userId === options.context.user) {
|
if (userId === options.context.user) {
|
||||||
return bcryptCompare(oldPassword, user.get('password'));
|
return bcryptCompare(oldPassword, user.get('password'));
|
||||||
}
|
}
|
||||||
// if user is admin, password isn't compared
|
// If user is admin and changing another user's password, old password isn't compared to the old one
|
||||||
return true;
|
return true;
|
||||||
}).then(function then(matched) {
|
}).then(function then(matched) {
|
||||||
if (!matched) {
|
if (!matched) {
|
||||||
|
@ -1138,6 +1138,21 @@ describe('Users API', function () {
|
|||||||
}).catch(checkForErrorType('ValidationError', done));
|
}).catch(checkForErrorType('ValidationError', done));
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('Owner can\'t change password without old password', function (done) {
|
||||||
|
var payload = {
|
||||||
|
password: [{
|
||||||
|
user_id: userIdFor.owner,
|
||||||
|
oldPassword: '',
|
||||||
|
newPassword: 'Sl1m3rson1',
|
||||||
|
ne2Password: 'Sl1m3rson1'
|
||||||
|
}]
|
||||||
|
};
|
||||||
|
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
|
||||||
|
.then(function () {
|
||||||
|
done(new Error('Password change is not denied.'));
|
||||||
|
}).catch(checkForErrorType('ValidationError', done));
|
||||||
|
});
|
||||||
|
|
||||||
it('Owner can\'t change password without matching passwords', function (done) {
|
it('Owner can\'t change password without matching passwords', function (done) {
|
||||||
var payload = {
|
var payload = {
|
||||||
password: [{
|
password: [{
|
||||||
|
Loading…
Reference in New Issue
Block a user