From 2fd2e45e428b24f16b7724b7a31d660ba67d2ef1 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 25 Oct 2016 13:05:13 +0200 Subject: [PATCH] Require password confirmation for user management Signed-off-by: Joas Schilling --- .../Controller/ChangePasswordController.php | 1 + settings/Controller/GroupsController.php | 2 + settings/Controller/UsersController.php | 3 + settings/ajax/togglegroups.php | 7 ++ settings/ajax/togglesubadmins.php | 7 ++ settings/js/users/users.js | 68 +++++++++++++++---- 6 files changed, 74 insertions(+), 14 deletions(-) diff --git a/settings/Controller/ChangePasswordController.php b/settings/Controller/ChangePasswordController.php index e43d0d8f343..832cdbefdbe 100644 --- a/settings/Controller/ChangePasswordController.php +++ b/settings/Controller/ChangePasswordController.php @@ -131,6 +131,7 @@ class ChangePasswordController extends Controller { /** * @NoAdminRequired + * @PasswordConfirmationRequired * * @param string $username * @param string $password diff --git a/settings/Controller/GroupsController.php b/settings/Controller/GroupsController.php index feed45b118e..8985a76ec95 100644 --- a/settings/Controller/GroupsController.php +++ b/settings/Controller/GroupsController.php @@ -95,6 +95,7 @@ class GroupsController extends Controller { } /** + * @PasswordConfirmationRequired * @param string $id * @return DataResponse */ @@ -128,6 +129,7 @@ class GroupsController extends Controller { } /** + * @PasswordConfirmationRequired * @param string $id * @return DataResponse */ diff --git a/settings/Controller/UsersController.php b/settings/Controller/UsersController.php index 4c732a94c9a..89831a66aba 100644 --- a/settings/Controller/UsersController.php +++ b/settings/Controller/UsersController.php @@ -301,6 +301,7 @@ class UsersController extends Controller { /** * @NoAdminRequired + * @PasswordConfirmationRequired * * @param string $username * @param string $password @@ -433,6 +434,7 @@ class UsersController extends Controller { /** * @NoAdminRequired + * @PasswordConfirmationRequired * * @param string $id * @return DataResponse @@ -616,6 +618,7 @@ class UsersController extends Controller { * * @NoAdminRequired * @NoSubadminRequired + * @PasswordConfirmationRequired * * @param string $username * @param string $displayName diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php index ff79861b811..b9958bef0c9 100644 --- a/settings/ajax/togglegroups.php +++ b/settings/ajax/togglegroups.php @@ -28,6 +28,13 @@ OC_JSON::checkSubAdminUser(); OCP\JSON::callCheck(); +$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm'); +if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay + $l = \OC::$server->getL10N('core'); + OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required')))); + exit(); +} + $success = true; $username = (string)$_POST['username']; $group = (string)$_POST['group']; diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php index 390e5c09ef3..5658a382410 100644 --- a/settings/ajax/togglesubadmins.php +++ b/settings/ajax/togglesubadmins.php @@ -24,6 +24,13 @@ OC_JSON::checkAdminUser(); OCP\JSON::callCheck(); +$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm'); +if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay + $l = \OC::$server->getL10N('core'); + OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required')))); + exit(); +} + $username = (string)$_POST['username']; $group = (string)$_POST['group']; diff --git a/settings/js/users/users.js b/settings/js/users/users.js index 3a357c0e9c4..7f23f2dad3f 100644 --- a/settings/js/users/users.js +++ b/settings/js/users/users.js @@ -353,6 +353,14 @@ var UserList = { $userListBody.on('click', '.delete', function () { // Call function for handling delete/undo var uid = UserList.getUID(this); + + if (OC.PasswordConfirmation.requiresPasswordConfirmation()) { + OC.PasswordConfirmation.requirePasswordConfirmation(function() { + UserDeleteHandler.mark(uid); + }); + return; + } + UserDeleteHandler.mark(uid); }); @@ -405,6 +413,11 @@ var UserList = { }, applyGroupSelect: function (element, user, checked) { + if (OC.PasswordConfirmation.requiresPasswordConfirmation()) { + OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments)); + return; + } + var $element = $(element); var checkHandler = null; @@ -467,6 +480,11 @@ var UserList = { }, applySubadminSelect: function (element, user, checked) { + if (OC.PasswordConfirmation.requiresPasswordConfirmation()) { + OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments)); + return; + } + var $element = $(element); var checkHandler = function (group) { if (group === 'admin') { @@ -478,7 +496,10 @@ var UserList = { username: user, group: group }, - function () { + function (response) { + if (response.data.message) { + OC.Notification.show(response.data.message); + } } ); }; @@ -635,6 +656,27 @@ $(document).ready(function () { // TODO: move other init calls inside of initialize UserList.initialize($('#userlist')); + var _submitPasswordChange = function(uid, password, recoveryPasswordVal) { + if (OC.PasswordConfirmation.requiresPasswordConfirmation()) { + OC.PasswordConfirmation.requirePasswordConfirmation(function() { + _submitPasswordChange(uid, password, recoveryPasswordVal); + }); + return; + } + + $.post( + OC.generateUrl('/settings/users/changepassword'), + {username: uid, password: password, recoveryPassword: recoveryPasswordVal}, + function (result) { + if (result.status === 'success') { + OC.Notification.showTemporary(t('admin', 'Password successfully changed')); + } else { + OC.Notification.showTemporary(t('admin', result.data.message)); + } + } + ); + }; + $userListBody.on('click', '.password', function (event) { event.stopPropagation(); @@ -657,17 +699,7 @@ $(document).ready(function () { if (event.keyCode === 13) { if ($(this).val().length > 0) { var recoveryPasswordVal = $('input:password[id="recoveryPassword"]').val(); - $.post( - OC.generateUrl('/settings/users/changepassword'), - {username: uid, password: $(this).val(), recoveryPassword: recoveryPasswordVal}, - function (result) { - if (result.status === 'success') { - OC.Notification.showTemporary(t('admin', 'Password successfully changed')); - } else { - OC.Notification.showTemporary(t('admin', result.data.message)); - } - } - ); + _submitPasswordChange(uid, $(this).val(), recoveryPasswordVal); $input.blur(); } else { $input.blur(); @@ -796,7 +828,14 @@ $(document).ready(function () { }); UserList._updateGroupListLabel($('#newuser .groups'), []); - $('#newuser').submit(function (event) { + var _submitNewUserForm = function (event) { + if (OC.PasswordConfirmation.requiresPasswordConfirmation()) { + OC.PasswordConfirmation.requirePasswordConfirmation(function() { + _submitNewUserForm(event); + }); + return; + } + event.preventDefault(); var username = $('#newusername').val(); var password = $('#newuserpassword').val(); @@ -866,7 +905,8 @@ $(document).ready(function () { $('#newuser').get(0).reset(); }); }); - }); + } + $('#newuser').submit(_submitNewUserForm); if ($('#CheckboxStorageLocation').is(':checked')) { $("#userlist .storageLocation").show(); -- 2.39.5