SEBSERV-21 fixed User-Account password reset difference between own
account and an account that is administrated by an other user
This commit is contained in:
anhefti
parent
2ba0045c60
commit
c0b6725c7d
4 changed files with 25 additions and 15 deletions
|
|
@ -20,7 +20,7 @@ import ch.ethz.seb.sebserver.gbl.model.Entity;
|
|||
|
||||
public class PasswordChange implements Entity {
|
||||
|
||||
public static final String ATTR_NAME_OLD_PASSWORD = "oldPassword";
|
||||
public static final String ATTR_NAME_PASSWORD = "password";
|
||||
public static final String ATTR_NAME_NEW_PASSWORD = "newPassword";
|
||||
public static final String ATTR_NAME_CONFIRM_NEW_PASSWORD = "confirmNewPassword";
|
||||
|
||||
|
|
@ -28,9 +28,9 @@ public class PasswordChange implements Entity {
|
|||
@JsonProperty(USER.ATTR_UUID)
|
||||
public final String userId;
|
||||
|
||||
@NotNull(message = "user:oldPassword:notNull")
|
||||
@JsonProperty(ATTR_NAME_OLD_PASSWORD)
|
||||
private final String oldPassword;
|
||||
@NotNull(message = "user:password:notNull")
|
||||
@JsonProperty(ATTR_NAME_PASSWORD)
|
||||
private final String password;
|
||||
|
||||
@NotNull(message = "user:newPassword:notNull")
|
||||
@Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}")
|
||||
|
|
@ -44,18 +44,18 @@ public class PasswordChange implements Entity {
|
|||
@JsonCreator
|
||||
public PasswordChange(
|
||||
@JsonProperty(USER.ATTR_UUID) final String userId,
|
||||
@JsonProperty(ATTR_NAME_OLD_PASSWORD) final String oldPassword,
|
||||
@JsonProperty(ATTR_NAME_PASSWORD) final String password,
|
||||
@JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword,
|
||||
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) {
|
||||
|
||||
this.userId = userId;
|
||||
this.oldPassword = oldPassword;
|
||||
this.password = password;
|
||||
this.newPassword = newPassword;
|
||||
this.confirmNewPassword = confirmNewPassword;
|
||||
}
|
||||
|
||||
public String getOldPassword() {
|
||||
return this.oldPassword;
|
||||
public String getPassword() {
|
||||
return this.password;
|
||||
}
|
||||
|
||||
public String getNewPassword() {
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@ import ch.ethz.seb.sebserver.gui.widget.WidgetFactory;
|
|||
@Lazy
|
||||
@Component
|
||||
@GuiProfile
|
||||
/** The form to change an User-Account password.
|
||||
* If the current user is the owner of the User-Account the password is required and must
|
||||
* match the users current password.
|
||||
* If the current user is an administrator that has to reset another users password the
|
||||
* password that is also required must match the administrators current password. */
|
||||
public class UserAccountChangePasswordForm implements TemplateComposer {
|
||||
|
||||
private final PageFormService pageFormService;
|
||||
|
|
@ -74,6 +79,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
|
|||
pageContext.getParent(),
|
||||
new LocTextKey("sebserver.useraccount.form.pwchange.title", userInfo.username));
|
||||
|
||||
final boolean ownAccount = this.currentUser.get().uuid.equals(entityKey.getModelId());
|
||||
|
||||
// The Password Change form
|
||||
final FormHandle<UserInfo> formHandle = this.pageFormService.getBuilder(
|
||||
pageContext.copyOf(content), 4)
|
||||
|
|
@ -82,8 +89,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
|
|||
Domain.USER.ATTR_UUID,
|
||||
entityKey.getModelId())
|
||||
.addField(FormBuilder.text(
|
||||
PasswordChange.ATTR_NAME_OLD_PASSWORD,
|
||||
"sebserver.useraccount.form.password.old")
|
||||
PasswordChange.ATTR_NAME_PASSWORD,
|
||||
"sebserver.useraccount.form.password")
|
||||
.asPasswordField())
|
||||
.addField(FormBuilder.text(
|
||||
PasswordChange.ATTR_NAME_NEW_PASSWORD,
|
||||
|
|
@ -99,7 +106,7 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
|
|||
pageContext.createAction(ActionDefinition.USER_ACCOUNT_CHANGE_PASSOWRD_SAVE)
|
||||
.withExec(action -> {
|
||||
formHandle.postChanges(action);
|
||||
if (this.currentUser.get().uuid.equals(entityKey.getModelId())) {
|
||||
if (ownAccount) {
|
||||
// NOTE: in this case the user changed the password of the own account
|
||||
// this should cause an logout with specified message that password change
|
||||
// was successful and the pointing the need of re login with the new password
|
||||
|
|
|
|||
|
|
@ -115,14 +115,17 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
|
|||
}
|
||||
|
||||
private UserInfo checkPasswordChange(final UserInfo info, final PasswordChange passwordChange) {
|
||||
final SEBServerUser authUser = this.userDAO.sebServerUserByUsername(info.username)
|
||||
final SEBServerUser currentUser = this.userDAO.sebServerUserByUsername(this.authorization
|
||||
.getUserService()
|
||||
.getCurrentUser().getUsername())
|
||||
.getOrThrow();
|
||||
|
||||
if (!this.userPasswordEncoder.matches(passwordChange.getOldPassword(), authUser.getPassword())) {
|
||||
if (!this.userPasswordEncoder.matches(passwordChange.getPassword(), currentUser.getPassword())) {
|
||||
|
||||
throw new APIMessageException(APIMessage.fieldValidationError(
|
||||
new FieldError(
|
||||
"passwordChange",
|
||||
PasswordChange.ATTR_NAME_OLD_PASSWORD,
|
||||
PasswordChange.ATTR_NAME_PASSWORD,
|
||||
"user:oldPassword:password.wrong")));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -134,7 +134,7 @@ sebserver.useraccount.form.password=Password
|
|||
sebserver.useraccount.form.password.confirm=Confirm Password
|
||||
|
||||
sebserver.useraccount.form.pwchange.title=Change Password : {0}
|
||||
sebserver.useraccount.form.password.old=Old Password
|
||||
sebserver.useraccount.form.password=Password
|
||||
sebserver.useraccount.form.password.new=New Password
|
||||
sebserver.useraccount.form.password.new.confirm=Confirm New Password
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue