From 28ddf3abdbe481b8714bdd2bc9dad43c805680e4 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 19 Sep 2016 16:14:51 +0200
Subject: Require password confirmation for changing the email

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 settings/Controller/UsersController.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'settings/Controller')

diff --git a/settings/Controller/UsersController.php b/settings/Controller/UsersController.php
index fde29de3598..4c732a94c9a 100644
--- a/settings/Controller/UsersController.php
+++ b/settings/Controller/UsersController.php
@@ -495,6 +495,7 @@ class UsersController extends Controller {
 	 *
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $id
 	 * @param string $mailAddress
-- 
cgit v1.2.3


From 68fa1e5dd8a588d3903dfee4dab5c740637e0cf6 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 19 Sep 2016 17:13:30 +0200
Subject: Require password confirmation for app password

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 settings/Controller/AuthSettingsController.php | 8 +++++---
 settings/js/authtoken_view.js                  | 5 +++++
 2 files changed, 10 insertions(+), 3 deletions(-)

(limited to 'settings/Controller')

diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php
index 4e3d05a14e8..732f3abd1fd 100644
--- a/settings/Controller/AuthSettingsController.php
+++ b/settings/Controller/AuthSettingsController.php
@@ -111,7 +111,9 @@ class AuthSettingsController extends Controller {
 	/**
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @PasswordConfirmationRequired
 	 *
+	 * @param string $name
 	 * @return JSONResponse
 	 */
 	public function create($name) {
@@ -138,11 +140,11 @@ class AuthSettingsController extends Controller {
 		$tokenData = $deviceToken->jsonSerialize();
 		$tokenData['canDelete'] = true;
 
-		return [
+		return new JSONResponse([
 			'token' => $token,
 			'loginName' => $loginName,
-			'deviceToken' => $tokenData
-		];
+			'deviceToken' => $tokenData,
+		]);
 	}
 
 	private function getServiceNotAvailableResponse() {
diff --git a/settings/js/authtoken_view.js b/settings/js/authtoken_view.js
index 0939913cc1a..c45e4b7ec44 100644
--- a/settings/js/authtoken_view.js
+++ b/settings/js/authtoken_view.js
@@ -299,6 +299,11 @@
 		},
 
 		_addAppPassword: function () {
+			if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+				OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this._addAppPassword, this));
+				return;
+			}
+
 			var _this = this;
 			this._toggleAddingToken(true);
 
-- 
cgit v1.2.3


From 62855c08ffbc7697e43f8aeca42095add8b84986 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 19 Sep 2016 18:40:47 +0200
Subject: Require confirmation when changing the email settings

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 settings/Controller/MailSettingsController.php |  6 ++++
 settings/js/admin.js                           | 47 ++++++++++++++++++++------
 2 files changed, 43 insertions(+), 10 deletions(-)

(limited to 'settings/Controller')

diff --git a/settings/Controller/MailSettingsController.php b/settings/Controller/MailSettingsController.php
index 84423aa8e29..108ac3f393a 100644
--- a/settings/Controller/MailSettingsController.php
+++ b/settings/Controller/MailSettingsController.php
@@ -73,6 +73,9 @@ class MailSettingsController extends Controller {
 
 	/**
 	 * Sets the email settings
+	 *
+	 * @PasswordConfirmationRequired
+	 *
 	 * @param string $mail_domain
 	 * @param string $mail_from_address
 	 * @param string $mail_smtpmode
@@ -116,6 +119,9 @@ class MailSettingsController extends Controller {
 
 	/**
 	 * Store the credentials used for SMTP in the config
+	 *
+	 * @PasswordConfirmationRequired
+	 *
 	 * @param string $mail_smtpname
 	 * @param string $mail_smtppassword
 	 * @return array
diff --git a/settings/js/admin.js b/settings/js/admin.js
index 7c2b507280f..094b12b2bab 100644
--- a/settings/js/admin.js
+++ b/settings/js/admin.js
@@ -172,21 +172,48 @@ $(document).ready(function(){
 		}
 	});
 
-	$('#mail_general_settings_form').change(function(){
+	var changeEmailSettings = function() {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(changeEmailSettings);
+			return;
+		}
+
 		OC.msg.startSaving('#mail_settings_msg');
-		var post = $( "#mail_general_settings_form" ).serialize();
-		$.post(OC.generateUrl('/settings/admin/mailsettings'), post, function(data){
-			OC.msg.finishedSaving('#mail_settings_msg', data);
+		$.ajax({
+			url: OC.generateUrl('/settings/admin/mailsettings'),
+			type: 'POST',
+			data: $('#mail_general_settings_form').serialize(),
+			success: function(data){
+				OC.msg.finishedSaving('#mail_settings_msg', data);
+			},
+			error: function(data){
+				OC.msg.finishedError('#mail_settings_msg', data.responseJSON.message);
+			}
 		});
-	});
+	};
+
+	var toggleEmailCredentials = function() {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(toggleEmailCredentials);
+			return;
+		}
 
-	$('#mail_credentials_settings_submit').click(function(){
 		OC.msg.startSaving('#mail_settings_msg');
-		var post = $( "#mail_credentials_settings" ).serialize();
-		$.post(OC.generateUrl('/settings/admin/mailsettings/credentials'), post, function(data){
-			OC.msg.finishedSaving('#mail_settings_msg', data);
+		$.ajax({
+			url: OC.generateUrl('/settings/admin/mailsettings/credentials'),
+			type: 'POST',
+			data: $('#mail_credentials_settings').serialize(),
+			success: function(data){
+				OC.msg.finishedSaving('#mail_settings_msg', data);
+			},
+			error: function(data){
+				OC.msg.finishedError('#mail_settings_msg', data.responseJSON.message);
+			}
 		});
-	});
+	};
+
+	$('#mail_general_settings_form').change(changeEmailSettings);
+	$('#mail_credentials_settings_submit').click(toggleEmailCredentials);
 
 	$('#sendtestemail').click(function(event){
 		event.preventDefault();
-- 
cgit v1.2.3


From 2fd2e45e428b24f16b7724b7a31d660ba67d2ef1 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 25 Oct 2016 13:05:13 +0200
Subject: Require password confirmation for user management

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 settings/Controller/ChangePasswordController.php |  1 +
 settings/Controller/GroupsController.php         |  2 +
 settings/Controller/UsersController.php          |  3 ++
 settings/ajax/togglegroups.php                   |  7 +++
 settings/ajax/togglesubadmins.php                |  7 +++
 settings/js/users/users.js                       | 68 +++++++++++++++++++-----
 6 files changed, 74 insertions(+), 14 deletions(-)

(limited to 'settings/Controller')

diff --git a/settings/Controller/ChangePasswordController.php b/settings/Controller/ChangePasswordController.php
index e43d0d8f343..832cdbefdbe 100644
--- a/settings/Controller/ChangePasswordController.php
+++ b/settings/Controller/ChangePasswordController.php
@@ -131,6 +131,7 @@ class ChangePasswordController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
diff --git a/settings/Controller/GroupsController.php b/settings/Controller/GroupsController.php
index feed45b118e..8985a76ec95 100644
--- a/settings/Controller/GroupsController.php
+++ b/settings/Controller/GroupsController.php
@@ -95,6 +95,7 @@ class GroupsController extends Controller {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
@@ -128,6 +129,7 @@ class GroupsController extends Controller {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
diff --git a/settings/Controller/UsersController.php b/settings/Controller/UsersController.php
index 4c732a94c9a..89831a66aba 100644
--- a/settings/Controller/UsersController.php
+++ b/settings/Controller/UsersController.php
@@ -301,6 +301,7 @@ class UsersController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
@@ -433,6 +434,7 @@ class UsersController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $id
 	 * @return DataResponse
@@ -616,6 +618,7 @@ class UsersController extends Controller {
 	 *
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $displayName
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index ff79861b811..b9958bef0c9 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -28,6 +28,13 @@
 OC_JSON::checkSubAdminUser();
 OCP\JSON::callCheck();
 
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $success = true;
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];
diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php
index 390e5c09ef3..5658a382410 100644
--- a/settings/ajax/togglesubadmins.php
+++ b/settings/ajax/togglesubadmins.php
@@ -24,6 +24,13 @@
 OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];
 
diff --git a/settings/js/users/users.js b/settings/js/users/users.js
index 3a357c0e9c4..7f23f2dad3f 100644
--- a/settings/js/users/users.js
+++ b/settings/js/users/users.js
@@ -353,6 +353,14 @@ var UserList = {
 		$userListBody.on('click', '.delete', function () {
 			// Call function for handling delete/undo
 			var uid = UserList.getUID(this);
+
+			if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+				OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+					UserDeleteHandler.mark(uid);
+				});
+				return;
+			}
+
 			UserDeleteHandler.mark(uid);
 		});
 
@@ -405,6 +413,11 @@ var UserList = {
 	},
 
 	applyGroupSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);
 
 		var checkHandler = null;
@@ -467,6 +480,11 @@ var UserList = {
 	},
 
 	applySubadminSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);
 		var checkHandler = function (group) {
 			if (group === 'admin') {
@@ -478,7 +496,10 @@ var UserList = {
 					username: user,
 					group: group
 				},
-				function () {
+				function (response) {
+					if (response.data.message) {
+						OC.Notification.show(response.data.message);
+					}
 				}
 			);
 		};
@@ -635,6 +656,27 @@ $(document).ready(function () {
 	// TODO: move other init calls inside of initialize
 	UserList.initialize($('#userlist'));
 
+	var _submitPasswordChange = function(uid, password, recoveryPasswordVal) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitPasswordChange(uid, password, recoveryPasswordVal);
+			});
+			return;
+		}
+
+		$.post(
+			OC.generateUrl('/settings/users/changepassword'),
+			{username: uid, password: password, recoveryPassword: recoveryPasswordVal},
+			function (result) {
+				if (result.status === 'success') {
+					OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
+				} else {
+					OC.Notification.showTemporary(t('admin', result.data.message));
+				}
+			}
+		);
+	};
+
 	$userListBody.on('click', '.password', function (event) {
 		event.stopPropagation();
 
@@ -657,17 +699,7 @@ $(document).ready(function () {
 				if (event.keyCode === 13) {
 					if ($(this).val().length > 0) {
 						var recoveryPasswordVal = $('input:password[id="recoveryPassword"]').val();
-						$.post(
-							OC.generateUrl('/settings/users/changepassword'),
-							{username: uid, password: $(this).val(), recoveryPassword: recoveryPasswordVal},
-							function (result) {
-								if (result.status === 'success') {
-									OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
-								} else {
-									OC.Notification.showTemporary(t('admin', result.data.message));
-								}
-							}
-						);
+						_submitPasswordChange(uid, $(this).val(), recoveryPasswordVal);
 						$input.blur();
 					} else {
 						$input.blur();
@@ -796,7 +828,14 @@ $(document).ready(function () {
 	});
 
 	UserList._updateGroupListLabel($('#newuser .groups'), []);
-	$('#newuser').submit(function (event) {
+	var _submitNewUserForm = function (event) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitNewUserForm(event);
+			});
+			return;
+		}
+
 		event.preventDefault();
 		var username = $('#newusername').val();
 		var password = $('#newuserpassword').val();
@@ -866,7 +905,8 @@ $(document).ready(function () {
 					$('#newuser').get(0).reset();
 				});
 		});
-	});
+	}
+	$('#newuser').submit(_submitNewUserForm);
 
 	if ($('#CheckboxStorageLocation').is(':checked')) {
 		$("#userlist .storageLocation").show();
-- 
cgit v1.2.3