Updated to move the logic for whether the password change can occur, into the controller,

2021-02-26 12:42:18 +00:00
parent 8f392c252a
commit c36aaabd0e
5 changed files with 27 additions and 51 deletions
--- a/src/Umbraco.Core/Models/ChangingPasswordModel.cs
+++ b/src/Umbraco.Core/Models/ChangingPasswordModel.cs
@@ -25,25 +25,5 @@ namespace Umbraco.Cms.Core.Models
        /// </summary>
        [DataMember(Name = "id")]
        public int Id { get; set; }
-
-        /// <summary>
-        /// The username of the user/member who is changing the password
-        /// </summary>
-        public string CurrentUsername { get; set; }
-
-        /// <summary>
-        /// The ID of the user/member whose password is being changed
-        /// </summary>
-        public int SavingUserId { get; set; }
-
-        /// <summary>
-        /// The username of the user/memeber whose password is being changed
-        /// </summary>
-        public string SavingUsername { get; set; }
-
-        /// <summary>
-        /// True if the current user has access to change the password for the member/user
-        /// </summary>
-        public bool CurrentUserHasSectionAccess { get; set; }
    }
 }
--- a/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs
@@ -223,13 +223,12 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
        public async Task<ActionResult<ModelWithNotifications<string>>> PostChangePassword(ChangingPasswordModel changingPasswordModel)
        {
            IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
-            changingPasswordModel.CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Users);

-            // the current user has access to change their password
-            changingPasswordModel.CurrentUserHasSectionAccess = true;
-            changingPasswordModel.CurrentUsername = currentUser.Username;
-            changingPasswordModel.SavingUsername = currentUser.Username;
-            changingPasswordModel.SavingUserId = currentUser.Id;
+            // if the current user has access to reset/manually change the password
+            if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
+            {
+                return new ValidationErrorResult("The current user is not authorized");
+            }

            Attempt<PasswordChangedModel> passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _backOfficeUserManager);

--- a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
@@ -471,16 +471,17 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
                }

                IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
+                // if the current user has access to reset/manually change the password
+                if (currentUser.HasSectionAccess(Constants.Applications.Members) == false)
+                {
+                    return new ValidationErrorResult("The current user is not authorized");
+                }
                var changingPasswordModel = new ChangingPasswordModel
                {
                    Id = intId.Result,
                    OldPassword = contentItem.Password.OldPassword,
                    NewPassword = contentItem.Password.NewPassword,
-                    CurrentUsername = currentUser.Username,
-                    SavingUserId = foundMember.Id,
-                    SavingUsername = foundMember.Username,
-                    CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Members)
-            };
+                };

                Attempt<PasswordChangedModel> passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _memberManager);

--- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
@@ -708,8 +708,18 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
            }

            IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
-            changingPasswordModel.CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Users);
-            changingPasswordModel.CurrentUsername = currentUser.Username;
+
+            // if it's the current user, the current user cannot reset their own password
+            if (currentUser.Username == found.Username)
+            {
+                return new ValidationErrorResult("Password reset is not allowed");
+            }
+
+            // if the current user has access to reset/manually change the password
+            if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
+            {
+                return new ValidationErrorResult("The current user is not authorized");
+            }

            Attempt<PasswordChangedModel> passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _userManager);

--- a/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs
+++ b/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs
@@ -8,8 +8,6 @@ using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Models.Identity;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Extensions;
-using Constants = Umbraco.Cms.Core.Constants;
-using IUser = Umbraco.Cms.Core.Models.Membership.IUser;

 namespace Umbraco.Cms.Web.BackOffice.Security
 {
@@ -56,33 +54,21 @@ namespace Umbraco.Cms.Web.BackOffice.Security
                return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Cannot set an empty password", new[] { "value" }) });
            }

-            TUser identityUser = await userMgr.FindByIdAsync(changingPasswordModel.SavingUserId.ToString());
+            var userId = changingPasswordModel.Id.ToString();
+            TUser identityUser = await userMgr.FindByIdAsync(userId);
            if (identityUser == null)
            {
                // this really shouldn't ever happen... but just in case
                return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password could not be verified", new[] { "oldPassword" }) });
            }

-            // Are we just changing another user's password?
+            // Are we just changing another user/member's password?
            if (changingPasswordModel.OldPassword.IsNullOrWhiteSpace())
            {
-                //// if it's the current user, the current user cannot reset their own password
-                //// For members, this should not happen
-                //if (changingPasswordModel.CurrentUsername == changingPasswordModel.SavingUsername)
-                //{
-                //    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password reset is not allowed", new[] { "value" }) });
-                //}
-
-                //// if the current user has access to reset/manually change the password
-                //if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
-                //{
-                //    return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("The current user is not authorized", new[] { "value" }) });
-                //}
-
                // ok, we should be able to reset it
                string resetToken = await userMgr.GeneratePasswordResetTokenAsync(identityUser);

-                IdentityResult resetResult = await userMgr.ChangePasswordWithResetAsync(changingPasswordModel.SavingUserId.ToString(), resetToken, changingPasswordModel.NewPassword);
+                IdentityResult resetResult = await userMgr.ChangePasswordWithResetAsync(userId, resetToken, changingPasswordModel.NewPassword);

                if (resetResult.Succeeded == false)
                {