zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SEBSERV-21 fixed User-Account password reset difference between own

Browse source 
account and an account that is administrated by an other user
This commit is contained in:
anhefti 2019-03-08 20:18:18 +01:00
parent 2ba0045c60
commit c0b6725c7d
4 changed files with 25 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
View file

@ -20,7 +20,7 @@ import ch.ethz.seb.sebserver.gbl.model.Entity;
public class PasswordChange implements Entity { public class PasswordChange implements Entity {
public static final String ATTR_NAME_OLD_PASSWORD = "oldPassword"; public static final String ATTR_NAME_PASSWORD = "password";
public static final String ATTR_NAME_NEW_PASSWORD = "newPassword"; public static final String ATTR_NAME_NEW_PASSWORD = "newPassword";
public static final String ATTR_NAME_CONFIRM_NEW_PASSWORD = "confirmNewPassword"; public static final String ATTR_NAME_CONFIRM_NEW_PASSWORD = "confirmNewPassword";
@ -28,9 +28,9 @@ public class PasswordChange implements Entity {
@JsonProperty(USER.ATTR_UUID) @JsonProperty(USER.ATTR_UUID)
public final String userId; public final String userId;
@NotNull(message = "user:oldPassword:notNull") @NotNull(message = "user:password:notNull")
@JsonProperty(ATTR_NAME_OLD_PASSWORD) @JsonProperty(ATTR_NAME_PASSWORD)
private final String oldPassword; private final String password;
@NotNull(message = "user:newPassword:notNull") @NotNull(message = "user:newPassword:notNull")
@Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}") @Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}")
@ -44,18 +44,18 @@ public class PasswordChange implements Entity {
@JsonCreator @JsonCreator
public PasswordChange( public PasswordChange(
@JsonProperty(USER.ATTR_UUID) final String userId, @JsonProperty(USER.ATTR_UUID) final String userId,
@JsonProperty(ATTR_NAME_OLD_PASSWORD) final String oldPassword, @JsonProperty(ATTR_NAME_PASSWORD) final String password,
@JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword, @JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword,
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) { @JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) {
this.userId = userId; this.userId = userId;
this.oldPassword = oldPassword; this.password = password;
this.newPassword = newPassword; this.newPassword = newPassword;
this.confirmNewPassword = confirmNewPassword; this.confirmNewPassword = confirmNewPassword;
} }
public String getOldPassword() { public String getPassword() {
return this.oldPassword; return this.password;
} }
public String getNewPassword() { public String getNewPassword() {

13
src/main/java/ch/ethz/seb/sebserver/gui/content/UserAccountChangePasswordForm.java
View file

@ -39,6 +39,11 @@ import ch.ethz.seb.sebserver.gui.widget.WidgetFactory;
@Lazy @Lazy
@Component @Component
@GuiProfile @GuiProfile
/** The form to change an User-Account password.
* If the current user is the owner of the User-Account the password is required and must
* match the users current password.
* If the current user is an administrator that has to reset another users password the
* password that is also required must match the administrators current password. */
public class UserAccountChangePasswordForm implements TemplateComposer { public class UserAccountChangePasswordForm implements TemplateComposer {
private final PageFormService pageFormService; private final PageFormService pageFormService;
@ -74,6 +79,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
pageContext.getParent(), pageContext.getParent(),
new LocTextKey("sebserver.useraccount.form.pwchange.title", userInfo.username)); new LocTextKey("sebserver.useraccount.form.pwchange.title", userInfo.username));
final boolean ownAccount = this.currentUser.get().uuid.equals(entityKey.getModelId());
// The Password Change form // The Password Change form
final FormHandle<UserInfo> formHandle = this.pageFormService.getBuilder( final FormHandle<UserInfo> formHandle = this.pageFormService.getBuilder(
pageContext.copyOf(content), 4) pageContext.copyOf(content), 4)
@ -82,8 +89,8 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
Domain.USER.ATTR_UUID, Domain.USER.ATTR_UUID,
entityKey.getModelId()) entityKey.getModelId())
.addField(FormBuilder.text( .addField(FormBuilder.text(
PasswordChange.ATTR_NAME_OLD_PASSWORD, PasswordChange.ATTR_NAME_PASSWORD,
"sebserver.useraccount.form.password.old") "sebserver.useraccount.form.password")
.asPasswordField()) .asPasswordField())
.addField(FormBuilder.text( .addField(FormBuilder.text(
PasswordChange.ATTR_NAME_NEW_PASSWORD, PasswordChange.ATTR_NAME_NEW_PASSWORD,
@ -99,7 +106,7 @@ public class UserAccountChangePasswordForm implements TemplateComposer {
pageContext.createAction(ActionDefinition.USER_ACCOUNT_CHANGE_PASSOWRD_SAVE) pageContext.createAction(ActionDefinition.USER_ACCOUNT_CHANGE_PASSOWRD_SAVE)
.withExec(action -> { .withExec(action -> {
formHandle.postChanges(action); formHandle.postChanges(action);
if (this.currentUser.get().uuid.equals(entityKey.getModelId())) { if (ownAccount) {
// NOTE: in this case the user changed the password of the own account // NOTE: in this case the user changed the password of the own account
// this should cause an logout with specified message that password change // this should cause an logout with specified message that password change
// was successful and the pointing the need of re login with the new password // was successful and the pointing the need of re login with the new password

9
src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java
View file

@ -115,14 +115,17 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
} }
private UserInfo checkPasswordChange(final UserInfo info, final PasswordChange passwordChange) { private UserInfo checkPasswordChange(final UserInfo info, final PasswordChange passwordChange) {
final SEBServerUser authUser = this.userDAO.sebServerUserByUsername(info.username) final SEBServerUser currentUser = this.userDAO.sebServerUserByUsername(this.authorization
.getUserService()
.getCurrentUser().getUsername())
.getOrThrow(); .getOrThrow();
if (!this.userPasswordEncoder.matches(passwordChange.getOldPassword(), authUser.getPassword())) { if (!this.userPasswordEncoder.matches(passwordChange.getPassword(), currentUser.getPassword())) {
throw new APIMessageException(APIMessage.fieldValidationError( throw new APIMessageException(APIMessage.fieldValidationError(
new FieldError( new FieldError(
"passwordChange", "passwordChange",
PasswordChange.ATTR_NAME_OLD_PASSWORD, PasswordChange.ATTR_NAME_PASSWORD,
"user:oldPassword:password.wrong"))); "user:oldPassword:password.wrong")));
} }

2
src/main/resources/messages.properties
View file

@ -134,7 +134,7 @@ sebserver.useraccount.form.password=Password
sebserver.useraccount.form.password.confirm=Confirm Password sebserver.useraccount.form.password.confirm=Confirm Password
sebserver.useraccount.form.pwchange.title=Change Password : {0} sebserver.useraccount.form.pwchange.title=Change Password : {0}
sebserver.useraccount.form.password.old=Old Password sebserver.useraccount.form.password=Password
sebserver.useraccount.form.password.new=New Password sebserver.useraccount.form.password.new=New Password
sebserver.useraccount.form.password.new.confirm=Confirm New Password sebserver.useraccount.form.password.new.confirm=Confirm New Password