Require password confirmation for user management

Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-25 13:05:13 +07:00 · 2016-10-25 13:05:13 +07:00 · 2fd2e45e42
parent 410e0fc28f
commit 2fd2e45e42
6 changed files with 74 additions and 14 deletions
--- a/settings/Controller/ChangePasswordController.php
+++ b/settings/Controller/ChangePasswordController.php
@ -131,6 +131,7 @@ class ChangePasswordController extends Controller {

 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
--- a/settings/Controller/GroupsController.php
+++ b/settings/Controller/GroupsController.php
@ -95,6 +95,7 @@ class GroupsController extends Controller {
 	}

 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
@ -128,6 +129,7 @@ class GroupsController extends Controller {
 	}

 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
--- a/settings/Controller/UsersController.php
+++ b/settings/Controller/UsersController.php
@ -301,6 +301,7 @@ class UsersController extends Controller {

 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
@ -433,6 +434,7 @@ class UsersController extends Controller {

 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $id
 	 * @return DataResponse
@ -616,6 +618,7 @@ class UsersController extends Controller {
 	 *
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $displayName
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@ -28,6 +28,13 @@
 OC_JSON::checkSubAdminUser();
 OCP\JSON::callCheck();

+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $success = true;
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];
--- a/settings/ajax/togglesubadmins.php
+++ b/settings/ajax/togglesubadmins.php
@ -24,6 +24,13 @@
 OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();

+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];

--- a/settings/js/users/users.js
+++ b/settings/js/users/users.js
@ -353,6 +353,14 @@ var UserList = {
 		$userListBody.on('click', '.delete', function () {
 			// Call function for handling delete/undo
 			var uid = UserList.getUID(this);
+
+			if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+				OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+					UserDeleteHandler.mark(uid);
+				});
+				return;
+			}
+
 			UserDeleteHandler.mark(uid);
 		});

@ -405,6 +413,11 @@ var UserList = {
 	},

 	applyGroupSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);

 		var checkHandler = null;
@ -467,6 +480,11 @@ var UserList = {
 	},

 	applySubadminSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);
 		var checkHandler = function (group) {
 			if (group === 'admin') {
@ -478,7 +496,10 @@ var UserList = {
 					username: user,
 					group: group
 				},
-				function () {
+				function (response) {
+					if (response.data.message) {
+						OC.Notification.show(response.data.message);
+					}
 				}
 			);
 		};
@ -635,6 +656,27 @@ $(document).ready(function () {
 	// TODO: move other init calls inside of initialize
 	UserList.initialize($('#userlist'));

+	var _submitPasswordChange = function(uid, password, recoveryPasswordVal) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitPasswordChange(uid, password, recoveryPasswordVal);
+			});
+			return;
+		}
+
+		$.post(
+			OC.generateUrl('/settings/users/changepassword'),
+			{username: uid, password: password, recoveryPassword: recoveryPasswordVal},
+			function (result) {
+				if (result.status === 'success') {
+					OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
+				} else {
+					OC.Notification.showTemporary(t('admin', result.data.message));
+				}
+			}
+		);
+	};
+
 	$userListBody.on('click', '.password', function (event) {
 		event.stopPropagation();

@ -657,17 +699,7 @@ $(document).ready(function () {
 				if (event.keyCode === 13) {
 					if ($(this).val().length > 0) {
 						var recoveryPasswordVal = $('input:password[id="recoveryPassword"]').val();
-						$.post(
-							OC.generateUrl('/settings/users/changepassword'),
-							{username: uid, password: $(this).val(), recoveryPassword: recoveryPasswordVal},
-							function (result) {
-								if (result.status === 'success') {
-									OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
-								} else {
-									OC.Notification.showTemporary(t('admin', result.data.message));
-								}
-							}
-						);
+						_submitPasswordChange(uid, $(this).val(), recoveryPasswordVal);
 						$input.blur();
 					} else {
 						$input.blur();
@ -796,7 +828,14 @@ $(document).ready(function () {
 	});

 	UserList._updateGroupListLabel($('#newuser .groups'), []);
-	$('#newuser').submit(function (event) {
+	var _submitNewUserForm = function (event) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitNewUserForm(event);
+			});
+			return;
+		}
+
 		event.preventDefault();
 		var username = $('#newusername').val();
 		var password = $('#newuserpassword').val();
@ -866,7 +905,8 @@ $(document).ready(function () {
 					$('#newuser').get(0).reset();
 				});
 		});
-	});
+	}
+	$('#newuser').submit(_submitNewUserForm);

 	if ($('#CheckboxStorageLocation').is(':checked')) {
 		$("#userlist .storageLocation").show();