From c0b6725c7d3b201d5c93afb8b8e360629a847aef Mon Sep 17 00:00:00 2001
From: anhefti <andreas.hefti@let.ethz.ch>
Date: Fri, 8 Mar 2019 20:18:18 +0100
Subject: [PATCH] SEBSERV-21 fixed User-Account password reset difference
 between own

account and an account that is administrated by an other user
---
 .../sebserver/gbl/model/user/PasswordChange.java | 16 ++++++++--------
 .../content/UserAccountChangePasswordForm.java   | 13 ++++++++++---
 .../weblayer/api/UserAccountController.java      |  9 ++++++---
 src/main/resources/messages.properties           |  2 +-
 4 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java b/src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
index c8384831..46e27a1d 100644
--- a/src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
@@ -20,7 +20,7 @@ import ch.ethz.seb.sebserver.gbl.model.Entity;
 
 public class PasswordChange implements Entity {
 
-    public static final String ATTR_NAME_OLD_PASSWORD = "oldPassword";
+    public static final String ATTR_NAME_PASSWORD = "password";
     public static final String ATTR_NAME_NEW_PASSWORD = "newPassword";
     public static final String ATTR_NAME_CONFIRM_NEW_PASSWORD = "confirmNewPassword";
 
@@ -28,9 +28,9 @@ public class PasswordChange implements Entity {
     @JsonProperty(USER.ATTR_UUID)
     public final String userId;
 
-    @NotNull(message = "user:oldPassword:notNull")
-    @JsonProperty(ATTR_NAME_OLD_PASSWORD)
-    private final String oldPassword;
+    @NotNull(message = "user:password:notNull")
+    @JsonProperty(ATTR_NAME_PASSWORD)
+    private final String password;
 
     @NotNull(message = "user:newPassword:notNull")
     @Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}")
@@ -44,18 +44,18 @@ public class PasswordChange implements Entity {
     @JsonCreator
     public PasswordChange(
             @JsonProperty(USER.ATTR_UUID) final String userId,
-            @JsonProperty(ATTR_NAME_OLD_PASSWORD) final String oldPassword,
+            @JsonProperty(ATTR_NAME_PASSWORD) final String password,
             @JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword,
             @JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) {
 
         this.userId = userId;
-        this.oldPassword = oldPassword;
+        this.password = password;
         this.newPassword = newPassword;
         this.confirmNewPassword = confirmNewPassword;
     }
 
-    public String getOldPassword() {
-        return this.oldPassword;
+    public String getPassword() {
+        return this.password;
     }
 
     public String getNewPassword() {
diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/content/UserAccountChangePasswordForm.java b/src/main/java/ch/ethz/seb/sebserver/gui/content/UserAccountChangePasswordForm.java
index e7eb7ae2..35bf1452 100644
--- a/src/main/java/ch/ethz/seb/sebserver/gui/content/UserAccountChangePasswordForm.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/content/UserAccountChangePasswordForm.java
@@ -39,6 +39,11 @@ import ch.ethz.seb.sebserver.gui.widget.WidgetFactory;
 @Lazy
 @Component
 @GuiProfile
+/** The form to change an User-Account password.
+ * If the current user is the owner of the User-Account the password is required and must
+ * match the users current password.
+ * If the current user is an administrator that has to reset another users password the
+ * password that is also required must match the administrators current password. */
 public class UserAccountChangePasswordForm implements TemplateComposer {
 
     private final PageFormService pageFormService;
@@ -74,6 +79,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
                 pageContext.getParent(),
                 new LocTextKey("sebserver.useraccount.form.pwchange.title", userInfo.username));
 
+        final boolean ownAccount = this.currentUser.get().uuid.equals(entityKey.getModelId());
+
         // The Password Change form
         final FormHandle<UserInfo> formHandle = this.pageFormService.getBuilder(
                 pageContext.copyOf(content), 4)
@@ -82,8 +89,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
                         Domain.USER.ATTR_UUID,
                         entityKey.getModelId())
                 .addField(FormBuilder.text(
-                        PasswordChange.ATTR_NAME_OLD_PASSWORD,
-                        "sebserver.useraccount.form.password.old")
+                        PasswordChange.ATTR_NAME_PASSWORD,
+                        "sebserver.useraccount.form.password")
                         .asPasswordField())
                 .addField(FormBuilder.text(
                         PasswordChange.ATTR_NAME_NEW_PASSWORD,
@@ -99,7 +106,7 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
         pageContext.createAction(ActionDefinition.USER_ACCOUNT_CHANGE_PASSOWRD_SAVE)
                 .withExec(action -> {
                     formHandle.postChanges(action);
-                    if (this.currentUser.get().uuid.equals(entityKey.getModelId())) {
+                    if (ownAccount) {
                         // NOTE: in this case the user changed the password of the own account
                         //       this should cause an logout with specified message that password change
                         //       was successful and the pointing the need of re login with the new password
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
index cff1c5fa..dabda0bd 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
@@ -115,14 +115,17 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
     }
 
     private UserInfo checkPasswordChange(final UserInfo info, final PasswordChange passwordChange) {
-        final SEBServerUser authUser = this.userDAO.sebServerUserByUsername(info.username)
+        final SEBServerUser currentUser = this.userDAO.sebServerUserByUsername(this.authorization
+                .getUserService()
+                .getCurrentUser().getUsername())
                 .getOrThrow();
 
-        if (!this.userPasswordEncoder.matches(passwordChange.getOldPassword(), authUser.getPassword())) {
+        if (!this.userPasswordEncoder.matches(passwordChange.getPassword(), currentUser.getPassword())) {
+
             throw new APIMessageException(APIMessage.fieldValidationError(
                     new FieldError(
                             "passwordChange",
-                            PasswordChange.ATTR_NAME_OLD_PASSWORD,
+                            PasswordChange.ATTR_NAME_PASSWORD,
                             "user:oldPassword:password.wrong")));
         }
 
diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties
index aa360146..522aedb7 100644
--- a/src/main/resources/messages.properties
+++ b/src/main/resources/messages.properties
@@ -134,7 +134,7 @@ sebserver.useraccount.form.password=Password
 sebserver.useraccount.form.password.confirm=Confirm Password
 
 sebserver.useraccount.form.pwchange.title=Change Password : {0}
-sebserver.useraccount.form.password.old=Old Password
+sebserver.useraccount.form.password=Password
 sebserver.useraccount.form.password.new=New Password
 sebserver.useraccount.form.password.new.confirm=Confirm New Password