From 5c6b8fe2bc36a9348ac88b469fdb3e1ca8a2a42a Mon Sep 17 00:00:00 2001 From: Emma Garland Date: Mon, 15 Mar 2021 09:01:10 +0000 Subject: [PATCH] Added security logic previously added to PasswordChanger --- src/Umbraco.Web.BackOffice/Controllers/MemberController.cs | 1 + src/Umbraco.Web.BackOffice/Controllers/UsersController.cs | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs index 3c5adb8ebe..1ba7f41d97 100644 --- a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs +++ b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs @@ -477,6 +477,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers { return new ValidationErrorResult("The current user is not authorized"); } + var changingPasswordModel = new ChangingPasswordModel { Id = intId.Result, diff --git a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs index da19fa473a..ad81a32575 100644 --- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs +++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs @@ -1,5 +1,6 @@ using System; using System.Collections.Generic; +using System.ComponentModel.DataAnnotations; using System.Globalization; using System.IO; using System.Linq; @@ -722,6 +723,11 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers return new ValidationErrorResult("The current user is not authorized"); } + if (!currentUser.IsAdmin() && found.IsAdmin()) + { + return new ValidationErrorResult("The current user cannot change the password for the specified user"); + } + Attempt passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _userManager); if (passwordChangeResult.Success)