Removes the various old hacks for the legacy user's membership provider, now that we have the AllowManuallyChangingPassword flag, these hacks are not required.
This commit is contained in:
Shannon
@@ -5,7 +5,7 @@
|
||||
<user>0</user>
|
||||
<startNode>1080</startNode>
|
||||
<fullTree>False</fullTree>
|
||||
<documentTypeAlias>umbBlog</documentTypeAlias>
|
||||
<documentTypeAlias>Base</documentTypeAlias>
|
||||
<fields>
|
||||
<categories>
|
||||
</categories>
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
using System;
|
||||
using System.Web.Security;
|
||||
using Umbraco.Core.Configuration;
|
||||
using Umbraco.Core.Security;
|
||||
using Umbraco.Web.Install;
|
||||
using Umbraco.Web.Security;
|
||||
using umbraco.BusinessLogic;
|
||||
@@ -60,7 +61,7 @@ namespace Umbraco.Web.UI.Install.Steps
|
||||
}
|
||||
|
||||
// Is it using the default membership provider
|
||||
if (CurrentProvider is UsersMembershipProvider)
|
||||
if (CurrentProvider.IsUmbracoUsersProvider())
|
||||
{
|
||||
// Save user in membership provider
|
||||
var umbracoUser = user as UsersMembershipUser;
|
||||
|
||||
@@ -38,9 +38,12 @@ namespace umbraco.controls
|
||||
var umbProvider = Provider as MembershipProviderBase;
|
||||
if (umbProvider != null && umbProvider.AllowManuallyChangingPassword)
|
||||
{
|
||||
return false;
|
||||
_showOldPassword = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
_showOldPassword = Provider.EnablePasswordRetrieval == false;
|
||||
}
|
||||
_showOldPassword = Provider.EnablePasswordRetrieval == false;
|
||||
}
|
||||
return _showOldPassword.Value;
|
||||
}
|
||||
|
||||
@@ -167,14 +167,6 @@ namespace umbraco.cms.presentation.user
|
||||
var passwordChanger = (passwordChanger) LoadControl(SystemDirectories.Umbraco + "/controls/passwordChanger.ascx");
|
||||
passwordChanger.MembershipProviderName = UmbracoSettings.DefaultBackofficeProvider;
|
||||
|
||||
//This is a hack to allow the admin to change a user's password to whatever they want - this will only work if we are using the
|
||||
// default umbraco membership provider.
|
||||
// See the notes below in the ChangePassword method.
|
||||
if (BackOfficeProvider.IsUmbracoUsersProvider())
|
||||
{
|
||||
passwordChanger.ShowOldPassword = false;
|
||||
}
|
||||
|
||||
//Add a custom validation message for the password changer
|
||||
var passwordValidation = new CustomValidator
|
||||
{
|
||||
@@ -368,18 +360,6 @@ namespace umbraco.cms.presentation.user
|
||||
lname.Text = (user == null) ? u.LoginName : user.UserName;
|
||||
email.Text = (user == null) ? u.Email : user.Email;
|
||||
|
||||
//// Prevent users from changing information if logged in through a custom provider
|
||||
//// custom provider mapped accounts have empty passwords by default... so set update user fields to read only
|
||||
//// this will not be a security issue because empty passwords are not allowed in membership provider.
|
||||
//// This might change in version 4.0
|
||||
//if (string.IsNullOrEmpty(u.GetPassword()))
|
||||
//{
|
||||
// uname.ReadOnly = true;
|
||||
// lname.ReadOnly = true;
|
||||
// email.ReadOnly = true;
|
||||
// passw.Visible = false;
|
||||
//}
|
||||
|
||||
contentPicker.Value = u.StartNodeId.ToString(CultureInfo.InvariantCulture);
|
||||
mediaPicker.Value = u.StartMediaId.ToString(CultureInfo.InvariantCulture);
|
||||
|
||||
@@ -438,20 +418,6 @@ namespace umbraco.cms.presentation.user
|
||||
|
||||
var changePasswordModel = passwordChangerControl.ChangingPasswordModel;
|
||||
|
||||
// Is it using the default membership provider
|
||||
if (BackOfficeProvider.IsUmbracoUsersProvider())
|
||||
{
|
||||
//This is a total hack so that an admin can change the password without knowing the previous one
|
||||
// we do this by simply passing in the already stored hashed/encrypted password in the database -
|
||||
// this shouldn't be allowed but to maintain backwards compatibility we need to do this because
|
||||
// this logic was previously allowed.
|
||||
|
||||
//For this editor, we set the passwordChanger.ShowOldPassword = false so that the old password
|
||||
// field doesn't appear because we know we are going to manually set it here.
|
||||
// We'll change the model to have the already encrypted password stored in the db and that will continue to validate.
|
||||
changePasswordModel.OldPassword = u.Password;
|
||||
}
|
||||
|
||||
//now do the actual change
|
||||
var changePassResult = _membershipHelper.ChangePassword(
|
||||
membershipUser.UserName, changePasswordModel, BackOfficeProvider);
|
||||
|
||||
@@ -494,19 +494,6 @@ namespace umbraco.providers
|
||||
return false;
|
||||
}
|
||||
|
||||
//Due to the way this legacy provider worked, when it 'validated' a password passed in, it would allow
|
||||
// having the already hashed/encrypted password checked directly - this is bad but hey, we gotta support legacy
|
||||
// don't we.
|
||||
|
||||
//So, first we'll check if the user object's db stored password (already hashed/encrypted in the db) matches the password that
|
||||
// has been passed in, if so then we will confirm that it is valid. If it doesn't we'll attempt to hash/encrypt the passed in
|
||||
// password and then validate it - the way it is supposed to be done.
|
||||
|
||||
if (user.Password == password)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
return CheckPassword(password, user.Password);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user