diff options
Diffstat (limited to 'apps/settings/lib/Controller/ChangePasswordController.php')
| -rw-r--r-- | apps/settings/lib/Controller/ChangePasswordController.php | 157 |
1 files changed, 49 insertions, 108 deletions
diff --git a/apps/settings/lib/Controller/ChangePasswordController.php b/apps/settings/lib/Controller/ChangePasswordController.php index 8dd1e6ba028..a874a47c16a 100644 --- a/apps/settings/lib/Controller/ChangePasswordController.php +++ b/apps/settings/lib/Controller/ChangePasswordController.php @@ -1,33 +1,8 @@ <?php + /** - * @copyright Copyright (c) 2016 Roeland Jago Douma <roeland@famdouma.nl> - * - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Calviño Sánchez <danxuliu@gmail.com> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Joas Schilling <coding@schilljs.com> - * @author Julius Härtl <jus@bitgrid.net> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Matthew Setter <matthew@matthewsetter.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ // FIXME: disabled for now to be able to inject IGroupManager and also use // getSubAdmin() @@ -37,61 +12,45 @@ namespace OCA\Settings\Controller; use OC\Group\Manager as GroupManager; use OC\User\Session; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Recovery; use OCP\App\IAppManager; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired; use OCP\AppFramework\Http\JSONResponse; use OCP\HintException; -use OCP\IGroupManager; use OCP\IL10N; use OCP\IRequest; use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; +use OCP\Server; class ChangePasswordController extends Controller { - - /** @var string */ - private $userId; - - /** @var IUserManager */ - private $userManager; - - /** @var IL10N */ - private $l; - - /** @var GroupManager */ - private $groupManager; - - /** @var Session */ - private $userSession; - - /** @var IAppManager */ - private $appManager; - - public function __construct(string $appName, - IRequest $request, - string $userId, - IUserManager $userManager, - IUserSession $userSession, - IGroupManager $groupManager, - IAppManager $appManager, - IL10N $l) { + private Session $userSession; + + public function __construct( + string $appName, + IRequest $request, + private ?string $userId, + private IUserManager $userManager, + IUserSession $userSession, + private GroupManager $groupManager, + private IAppManager $appManager, + private IL10N $l, + ) { parent::__construct($appName, $request); - - $this->userId = $userId; - $this->userManager = $userManager; $this->userSession = $userSession; - $this->groupManager = $groupManager; - $this->appManager = $appManager; - $this->l = $l; } /** - * @NoAdminRequired * @NoSubAdminRequired - * @BruteForceProtection(action=changePersonalPassword) */ - public function changePersonalPassword(string $oldpassword = '', string $newpassword = null): JSONResponse { + #[NoAdminRequired] + #[BruteForceProtection(action: 'changePersonalPassword')] + public function changePersonalPassword(string $oldpassword = '', ?string $newpassword = null): JSONResponse { $loginName = $this->userSession->getLoginName(); /** @var IUser $user */ $user = $this->userManager->checkPassword($loginName, $oldpassword); @@ -107,9 +66,12 @@ class ChangePasswordController extends Controller { } try { - if ($newpassword === null || $user->setPassword($newpassword) === false) { + if ($newpassword === null || strlen($newpassword) > IUserManager::MAX_PASSWORD_LENGTH || $user->setPassword($newpassword) === false) { return new JSONResponse([ - 'status' => 'error' + 'status' => 'error', + 'data' => [ + 'message' => $this->l->t('Unable to change personal password'), + ], ]); } // password policy app throws exception @@ -132,16 +94,14 @@ class ChangePasswordController extends Controller { ]); } - /** - * @NoAdminRequired - * @PasswordConfirmationRequired - */ - public function changeUserPassword(string $username = null, string $password = null, string $recoveryPassword = null): JSONResponse { + #[NoAdminRequired] + #[PasswordConfirmationRequired] + public function changeUserPassword(?string $username = null, ?string $password = null, ?string $recoveryPassword = null): JSONResponse { if ($username === null) { return new JSONResponse([ 'status' => 'error', 'data' => [ - 'message' => $this->l->t('No user supplied'), + 'message' => $this->l->t('No Login supplied'), ], ]); } @@ -155,11 +115,20 @@ class ChangePasswordController extends Controller { ]); } + if (strlen($password) > IUserManager::MAX_PASSWORD_LENGTH) { + return new JSONResponse([ + 'status' => 'error', + 'data' => [ + 'message' => $this->l->t('Unable to change password. Password too long.'), + ], + ]); + } + $currentUser = $this->userSession->getUser(); $targetUser = $this->userManager->get($username); - if ($currentUser === null || $targetUser === null || - !($this->groupManager->isAdmin($this->userId) || - $this->groupManager->getSubAdmin()->isUserAccessible($currentUser, $targetUser)) + if ($currentUser === null || $targetUser === null + || !($this->groupManager->isAdmin($this->userId) + || $this->groupManager->getSubAdmin()->isUserAccessible($currentUser, $targetUser)) ) { return new JSONResponse([ 'status' => 'error', @@ -171,36 +140,8 @@ class ChangePasswordController extends Controller { if ($this->appManager->isEnabledForUser('encryption')) { //handle the recovery case - $crypt = new \OCA\Encryption\Crypto\Crypt( - \OC::$server->getLogger(), - \OC::$server->getUserSession(), - \OC::$server->getConfig(), - \OC::$server->getL10N('encryption')); - $keyStorage = \OC::$server->getEncryptionKeyStorage(); - $util = new \OCA\Encryption\Util( - new \OC\Files\View(), - $crypt, - \OC::$server->getLogger(), - \OC::$server->getUserSession(), - \OC::$server->getConfig(), - \OC::$server->getUserManager()); - $keyManager = new \OCA\Encryption\KeyManager( - $keyStorage, - $crypt, - \OC::$server->getConfig(), - \OC::$server->getUserSession(), - new \OCA\Encryption\Session(\OC::$server->getSession()), - \OC::$server->getLogger(), - $util, - \OC::$server->getLockingProvider() - ); - $recovery = new \OCA\Encryption\Recovery( - \OC::$server->getUserSession(), - $crypt, - $keyManager, - \OC::$server->getConfig(), - \OC::$server->getEncryptionFilesHelper(), - new \OC\Files\View()); + $keyManager = Server::get(KeyManager::class); + $recovery = Server::get(Recovery::class); $recoveryAdminEnabled = $recovery->isRecoveryKeyEnabled(); $validRecoveryPassword = false; @@ -214,7 +155,7 @@ class ChangePasswordController extends Controller { return new JSONResponse([ 'status' => 'error', 'data' => [ - 'message' => $this->l->t('Please provide an admin recovery password; otherwise, all user data will be lost.'), + 'message' => $this->l->t('Please provide an admin recovery password; otherwise, all account data will be lost.'), ] ]); } elseif ($recoveryEnabledForUser && ! $validRecoveryPassword) { @@ -240,7 +181,7 @@ class ChangePasswordController extends Controller { return new JSONResponse([ 'status' => 'error', 'data' => [ - 'message' => $this->l->t('Backend doesn\'t support password change, but the user\'s encryption key was updated.'), + 'message' => $this->l->t('Backend does not support password change, but the encryption of the account key was updated.'), ] ]); } elseif (!$result && !$recoveryEnabledForUser) { |