backport: enable admin to recover encrypted files

diff --git a/settings/ajax/changepassword.php b/settings/ajax/changepassword.php
index 1fc6d0e10002eae6296f1701bf8544c6150aa165..cb66c57c743bcb9fc4fcb9bfb5bbff50a0b9753d 100644 (file)
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@@ -10,6 +10,7 @@ OC_APP::loadApps();
 $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();
 $password = isset($_POST["password"]) ? $_POST["password"] : null;
 $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';
+$recoveryPassword=isset($_POST["recoveryPassword"])?$_POST["recoveryPassword"]:null;
 
 $userstatus = null;
 if(OC_User::isAdminUser(OC_User::getUser())) {
@@ -27,8 +28,15 @@ if(is_null($userstatus)) {
        exit();
 }
 
-// Return Success story
-if(!is_null($password) && OC_User::setPassword( $username, $password )) {
+$util = new \OCA\Encryption\Util(new \OC_FilesystemView('/'), $username);
+$recoveryAdminEnabled = OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminEnabled' );
+$recoveryEnabledForUser = $util->recoveryEnabledForUser();
+
+if ($recoveryAdminEnabled && $recoveryEnabledForUser && $recoveryPassword == '') {
+       OC_JSON::error(array("data" => array( "message" => "Please provide a admin recovery password, otherwise all user data will be lost" )));
+}elseif ( $recoveryPassword && ! $util->checkRecoveryPassword($recoveryPassword) ) {
+       OC_JSON::error(array("data" => array( "message" => "Wrong admin recovery password. Please check the password and try again." )));
+}elseif(!is_null($password) && OC_User::setPassword( $username, $password, $recoveryPassword )) {
        OC_JSON::success(array("data" => array( "username" => $username )));
 }
 else{

diff --git a/settings/js/users.js b/settings/js/users.js
index a33fcea32234817b3abf1ee287df942b5cf51393..dcb1a165420fe8abeb02eadc85ba7b04f95c2c39 100644 (file)
--- a/settings/js/users.js
+++ b/settings/js/users.js
@@ -351,10 +351,14 @@ $(document).ready(function () {
                input.keypress(function (event) {
                        if (event.keyCode == 13) {
                                if ($(this).val().length > 0) {
+                                       var recoveryPasswordVal = $('input:password[id="recoveryPassword"]').val();
                                        $.post(
                                                OC.filePath('settings', 'ajax', 'changepassword.php'),
-                                               {username: uid, password: $(this).val()},
+                                               {username: uid, password: $(this).val(), recoveryPassword: recoveryPasswordVal},
                                                function (result) {
+                                                       if (result.status != 'success') {
+                                                               OC.Notification.show(t('admin', result.data.message));
+                                                       }
                                                }
                                        );
                                        input.blur();
@@ -368,6 +372,9 @@ $(document).ready(function () {
                        img.css('display', '');
                });
        });
+       $('input:password[id="recoveryPassword"]').keyup(function(event) {
+               OC.Notification.hide();
+       });
        $('table').on('click', 'td.password', function (event) {
                $(this).children('img').click();
        });

diff --git a/settings/templates/users.php b/settings/templates/users.php
index 6113337f4eeb2ed916b1d4d558b975c43e0ffb16..7049f354fbf4635726725c6cfc7f21674df36e3d 100644 (file)
--- a/settings/templates/users.php
+++ b/settings/templates/users.php
@@ -31,6 +31,11 @@ $_['subadmingroups'] = array_flip($items);
                        <?php endforeach;?>
                </select> <input type="submit" value="<?php p($l->t('Create'))?>" />
        </form>
+       <?php if((bool)$_['recoveryAdminEnabled']): ?>
+       <div class="recoveryPassword">
+       <input id="recoveryPassword" type="password" placeholder="<?php p($l->t('Admin Recovery Password'))?>" />
+       </div>
+       <?php endif; ?>
        <div class="quota">
                <span><?php p($l->t('Default Storage'));?></span>
                        <?php if((bool) $_['isadmin']): ?>

diff --git a/settings/users.php b/settings/users.php
index 94e6d0a9a10f9ee5751b7d5b645692642a0c5871..e5c8a7aaa8d2963f6aab0dae4ddc57c689dbab36 100644 (file)
--- a/settings/users.php
+++ b/settings/users.php
@@ -20,6 +20,8 @@ $users = array();
 $groups = array();
 
 $isadmin = OC_User::isAdminUser(OC_User::getUser());
+$recoveryAdminEnabled = OC_App::isEnabled('files_encryption') &&
+                                           OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminEnabled' );
 
 if($isadmin) {
        $accessiblegroups = OC_Group::getGroups();
@@ -77,4 +79,5 @@ $tmpl->assign( 'numofgroups', count($accessiblegroups));
 $tmpl->assign( 'quota_preset', $quotaPreset);
 $tmpl->assign( 'default_quota', $defaultQuota);
 $tmpl->assign( 'defaultQuotaIsUserDefined', $defaultQuotaIsUserDefined);
+$tmpl->assign( 'recoveryAdminEnabled', $recoveryAdminEnabled);
 $tmpl->printPage();