Check Old Password on Password Change

Closes #6620

* Changed it from always returning true, to evaluate if it is the
current logged in user, and if so, check the old password. If not,
ignore
This commit is contained in:
David Balderston 2016-03-25 17:17:06 -07:00
parent 192086bd98
commit 110a5be253
2 changed files with 21 additions and 2 deletions

View File

@ -594,28 +594,32 @@ User = ghostBookshelf.Model.extend({
var self = this, var self = this,
newPassword = object.newPassword, newPassword = object.newPassword,
ne2Password = object.ne2Password, ne2Password = object.ne2Password,
userId = object.user_id, userId = parseInt(object.user_id),
oldPassword = object.oldPassword, oldPassword = object.oldPassword,
user; user;
// If the two passwords do not match
if (newPassword !== ne2Password) { if (newPassword !== ne2Password) {
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch'))); return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch')));
} }
// If the old password is empty when changing current user's password
if (userId === options.context.user && _.isEmpty(oldPassword)) { if (userId === options.context.user && _.isEmpty(oldPassword)) {
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordRequiredForOperation'))); return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordRequiredForOperation')));
} }
// If password is not complex enough
if (!validatePasswordLength(newPassword)) { if (!validatePasswordLength(newPassword)) {
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength'))); return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
} }
return self.forge({id: userId}).fetch({require: true}).then(function then(_user) { return self.forge({id: userId}).fetch({require: true}).then(function then(_user) {
user = _user; user = _user;
// If the user is the current user, check old password
if (userId === options.context.user) { if (userId === options.context.user) {
return bcryptCompare(oldPassword, user.get('password')); return bcryptCompare(oldPassword, user.get('password'));
} }
// if user is admin, password isn't compared // If user is admin and changing another user's password, old password isn't compared to the old one
return true; return true;
}).then(function then(matched) { }).then(function then(matched) {
if (!matched) { if (!matched) {

View File

@ -1138,6 +1138,21 @@ describe('Users API', function () {
}).catch(checkForErrorType('ValidationError', done)); }).catch(checkForErrorType('ValidationError', done));
}); });
it('Owner can\'t change password without old password', function (done) {
var payload = {
password: [{
user_id: userIdFor.owner,
oldPassword: '',
newPassword: 'Sl1m3rson1',
ne2Password: 'Sl1m3rson1'
}]
};
UserAPI.changePassword(payload, _.extend({}, context.owner, {id: userIdFor.owner}))
.then(function () {
done(new Error('Password change is not denied.'));
}).catch(checkForErrorType('ValidationError', done));
});
it('Owner can\'t change password without matching passwords', function (done) { it('Owner can\'t change password without matching passwords', function (done) {
var payload = { var payload = {
password: [{ password: [{