mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49069 Commits
424 Branches
Tree: 69269871e7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '69269871e7'
${ noResults }
nextcloud/settings/Controller/ChangePasswordController.php

ChangePasswordController.php 7.7KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286 
  1. <?php

  2. // FIXME: disabled for now to be able to inject IGroupManager and also use

  3. // getSubAdmin()

  4. //declare(strict_types=1);

  5. /**

  6.  *

  7.  *

  8.  * @author Joas Schilling <coding@schilljs.com>

  9.  * @author Lukas Reschke <lukas@statuscode.ch>

  10.  * @author Matthew Setter <matthew@matthewsetter.com>

  11.  * @author Morris Jobke <hey@morrisjobke.de>

  12.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  13.  *

  14.  * @license GNU AGPL version 3 or any later version

  15.  *

  16.  * This program is free software: you can redistribute it and/or modify

  17.  * it under the terms of the GNU Affero General Public License as

  18.  * published by the Free Software Foundation, either version 3 of the

  19.  * License, or (at your option) any later version.

  20.  *

  21.  * This program is distributed in the hope that it will be useful,

  22.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  23.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24.  * GNU Affero General Public License for more details.

  25.  *

  26.  * You should have received a copy of the GNU Affero General Public License

  27.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28.  *

  29.  */

  30. namespace OC\Settings\Controller;

  31. 

  32. use OC\HintException;

  33. use OC\User\Session;

  34. use OCP\App\IAppManager;

  35. use OCP\AppFramework\Controller;

  36. use OCP\AppFramework\Http\JSONResponse;

  37. use OCP\IGroupManager;

  38. use OCP\IL10N;

  39. use OCP\IRequest;

  40. use OCP\IUser;

  41. use OCP\IUserManager;

  42. use OCP\IUserSession;

  43. 

  44. class ChangePasswordController extends Controller {

  45. 

  46. 	/** @var string */

  47. 	private $userId;

  48. 

  49. 	/** @var IUserManager */

  50. 	private $userManager;

  51. 

  52. 	/** @var IL10N */

  53. 	private $l;

  54. 

  55. 	/** @var IGroupManager */

  56. 	private $groupManager;

  57. 

  58. 	/** @var Session */

  59. 	private $userSession;

  60. 

  61. 	/** @var IAppManager */

  62. 	private $appManager;

  63. 

  64. 	public function __construct(string $appName,

  65. 								IRequest $request,

  66. 								string $userId,

  67. 								IUserManager $userManager,

  68. 								IUserSession $userSession,

  69. 								IGroupManager $groupManager,

  70. 								IAppManager $appManager,

  71. 								IL10N $l) {

  72. 		parent::__construct($appName, $request);

  73. 

  74. 		$this->userId = $userId;

  75. 		$this->userManager = $userManager;

  76. 		$this->userSession = $userSession;

  77. 		$this->groupManager = $groupManager;

  78. 		$this->appManager = $appManager;

  79. 		$this->l = $l;

  80. 	}

  81. 

  82. 	/**

  83. 	 * @NoAdminRequired

  84. 	 * @NoSubadminRequired

  85. 	 * @BruteForceProtection(action=changePersonalPassword)

  86. 	 *

  87. 	 * @param string $oldpassword

  88. 	 * @param string $newpassword

  89. 	 *

  90. 	 * @return JSONResponse

  91. 	 */

  92. 	public function changePersonalPassword(string $oldpassword = '', string $newpassword = null): JSONResponse {

  93. 		/** @var IUser $user */

  94. 		$user = $this->userManager->checkPassword($this->userId, $oldpassword);

  95. 		if ($user === false) {

  96. 			$response = new JSONResponse([

  97. 				'status' => 'error',

  98. 				'data' => [

  99. 					'message' => $this->l->t('Wrong password'),

  100. 				],

  101. 			]);

  102. 			$response->throttle();

  103. 			return $response;

  104. 		}

  105. 

  106. 		try {

  107. 			if ($newpassword === null || $user->setPassword($newpassword) === false) {

  108. 				return new JSONResponse([

  109. 					'status' => 'error'

  110. 				]);

  111. 			}

  112. 		// password policy app throws exception

  113. 		} catch(HintException $e) {

  114. 			return new JSONResponse([

  115. 				'status' => 'error',

  116. 				'data' => [

  117. 					'message' => $e->getHint(),

  118. 				],

  119. 			]);

  120. 		}

  121. 

  122. 		$this->userSession->updateSessionTokenPassword($newpassword);

  123. 

  124. 		return new JSONResponse([

  125. 			'status' => 'success',

  126. 			'data' => [

  127. 				'message' => $this->l->t('Saved'),

  128. 			],

  129. 		]);

  130. 	}

  131. 

  132. 	/**

  133. 	 * @NoAdminRequired

  134. 	 * @PasswordConfirmationRequired

  135. 	 *

  136. 	 * @param string $username

  137. 	 * @param string $password

  138. 	 * @param string $recoveryPassword

  139. 	 *

  140. 	 * @return JSONResponse

  141. 	 */

  142. 	public function changeUserPassword(string $username = null, string $password = null, string $recoveryPassword = null): JSONResponse {

  143. 		if ($username === null) {

  144. 			return new JSONResponse([

  145. 				'status' => 'error',

  146. 				'data' => [

  147. 					'message' => $this->l->t('No user supplied'),

  148. 				],

  149. 			]);

  150. 		}

  151. 

  152. 		if ($password === null) {

  153. 			return new JSONResponse([

  154. 				'status' => 'error',

  155. 				'data' => [

  156. 					'message' => $this->l->t('Unable to change password'),

  157. 				],

  158. 			]);

  159. 		}

  160. 

  161. 		$currentUser = $this->userSession->getUser();

  162. 		$targetUser = $this->userManager->get($username);

  163. 		if ($currentUser === null || $targetUser === null ||

  164. 			!($this->groupManager->isAdmin($this->userId) ||

  165. 			 $this->groupManager->getSubAdmin()->isUserAccessible($currentUser, $targetUser))

  166. 		) {

  167. 			return new JSONResponse([

  168. 				'status' => 'error',

  169. 				'data' => [

  170. 					'message' => $this->l->t('Authentication error'),

  171. 				],

  172. 			]);

  173. 		}

  174. 

  175. 		if ($this->appManager->isEnabledForUser('encryption')) {

  176. 			//handle the recovery case

  177. 			$crypt = new \OCA\Encryption\Crypto\Crypt(

  178. 				\OC::$server->getLogger(),

  179. 				\OC::$server->getUserSession(),

  180. 				\OC::$server->getConfig(),

  181. 				\OC::$server->getL10N('encryption'));

  182. 			$keyStorage = \OC::$server->getEncryptionKeyStorage();

  183. 			$util = new \OCA\Encryption\Util(

  184. 				new \OC\Files\View(),

  185. 				$crypt,

  186. 				\OC::$server->getLogger(),

  187. 				\OC::$server->getUserSession(),

  188. 				\OC::$server->getConfig(),

  189. 				\OC::$server->getUserManager());

  190. 			$keyManager = new \OCA\Encryption\KeyManager(

  191. 				$keyStorage,

  192. 				$crypt,

  193. 				\OC::$server->getConfig(),

  194. 				\OC::$server->getUserSession(),

  195. 				new \OCA\Encryption\Session(\OC::$server->getSession()),

  196. 				\OC::$server->getLogger(),

  197. 				$util);

  198. 			$recovery = new \OCA\Encryption\Recovery(

  199. 				\OC::$server->getUserSession(),

  200. 				$crypt,

  201. 				\OC::$server->getSecureRandom(),

  202. 				$keyManager,

  203. 				\OC::$server->getConfig(),

  204. 				$keyStorage,

  205. 				\OC::$server->getEncryptionFilesHelper(),

  206. 				new \OC\Files\View());

  207. 			$recoveryAdminEnabled = $recovery->isRecoveryKeyEnabled();

  208. 

  209. 			$validRecoveryPassword = false;

  210. 			$recoveryEnabledForUser = false;

  211. 			if ($recoveryAdminEnabled) {

  212. 				$validRecoveryPassword = $keyManager->checkRecoveryPassword($recoveryPassword);

  213. 				$recoveryEnabledForUser = $recovery->isRecoveryEnabledForUser($username);

  214. 			}

  215. 

  216. 			if ($recoveryEnabledForUser && $recoveryPassword === '') {

  217. 				return new JSONResponse([

  218. 					'status' => 'error',

  219. 					'data' => [

  220. 						'message' => $this->l->t('Please provide an admin recovery password; otherwise, all user data will be lost.'),

  221. 					]

  222. 				]);

  223. 			} elseif ($recoveryEnabledForUser && ! $validRecoveryPassword) {

  224. 				return new JSONResponse([

  225. 					'status' => 'error',

  226. 					'data' => [

  227. 						'message' => $this->l->t('Wrong admin recovery password. Please check the password and try again.'),

  228. 					]

  229. 				]);

  230. 			} else { // now we know that everything is fine regarding the recovery password, let's try to change the password

  231. 				try {

  232. 					$result = $targetUser->setPassword($password, $recoveryPassword);

  233. 				// password policy app throws exception

  234. 				} catch(HintException $e) {

  235. 					return new JSONResponse([

  236. 						'status' => 'error',

  237. 						'data' => [

  238. 							'message' => $e->getHint(),

  239. 						],

  240. 					]);

  241. 				}

  242. 				if (!$result && $recoveryEnabledForUser) {

  243. 					return new JSONResponse([

  244. 						'status' => 'error',

  245. 						'data' => [

  246. 							'message' => $this->l->t('Backend doesn\'t support password change, but the user\'s encryption key was updated.'),

  247. 						]

  248. 					]);

  249. 				} elseif (!$result && !$recoveryEnabledForUser) {

  250. 					return new JSONResponse([

  251. 						'status' => 'error',

  252. 						'data' => [

  253. 							'message' => $this->l->t('Unable to change password'),

  254. 						]

  255. 					]);

  256. 				}

  257. 			}

  258. 		} else {

  259. 			try {

  260. 				if ($targetUser->setPassword($password) === false) {

  261. 					return new JSONResponse([

  262. 						'status' => 'error',

  263. 						'data' => [

  264. 							'message' => $this->l->t('Unable to change password'),

  265. 						],

  266. 					]);

  267. 				}

  268. 			// password policy app throws exception

  269. 			} catch(HintException $e) {

  270. 				return new JSONResponse([

  271. 					'status' => 'error',

  272. 					'data' => [

  273. 						'message' => $e->getHint(),

  274. 					],

  275. 				]);

  276. 			}

  277. 		}

  278. 

  279. 		return new JSONResponse([

  280. 			'status' => 'success',

  281. 			'data' => [

  282. 				'username' => $username,

  283. 			],

  284. 		]);

  285. 	}

  286. }