diff --git a/src/Umbraco.Core/Models/ChangingPasswordModel.cs b/src/Umbraco.Core/Models/ChangingPasswordModel.cs
index 37dad33eb3..5df6c42c1e 100644
--- a/src/Umbraco.Core/Models/ChangingPasswordModel.cs
+++ b/src/Umbraco.Core/Models/ChangingPasswordModel.cs
@@ -25,25 +25,5 @@ namespace Umbraco.Cms.Core.Models
///
[DataMember(Name = "id")]
public int Id { get; set; }
-
- ///
- /// The username of the user/member who is changing the password
- ///
- public string CurrentUsername { get; set; }
-
- ///
- /// The ID of the user/member whose password is being changed
- ///
- public int SavingUserId { get; set; }
-
- ///
- /// The username of the user/memeber whose password is being changed
- ///
- public string SavingUsername { get; set; }
-
- ///
- /// True if the current user has access to change the password for the member/user
- ///
- public bool CurrentUserHasSectionAccess { get; set; }
}
}
diff --git a/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs b/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs
index 77492caccf..c0615e37a1 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs
@@ -223,13 +223,12 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
public async Task>> PostChangePassword(ChangingPasswordModel changingPasswordModel)
{
IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
- changingPasswordModel.CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Users);
- // the current user has access to change their password
- changingPasswordModel.CurrentUserHasSectionAccess = true;
- changingPasswordModel.CurrentUsername = currentUser.Username;
- changingPasswordModel.SavingUsername = currentUser.Username;
- changingPasswordModel.SavingUserId = currentUser.Id;
+ // if the current user has access to reset/manually change the password
+ if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
+ {
+ return new ValidationErrorResult("The current user is not authorized");
+ }
Attempt passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _backOfficeUserManager);
diff --git a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
index d9b2cca270..b5f81ca3f4 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/MemberController.cs
@@ -471,16 +471,17 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
}
IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
+ // if the current user has access to reset/manually change the password
+ if (currentUser.HasSectionAccess(Constants.Applications.Members) == false)
+ {
+ return new ValidationErrorResult("The current user is not authorized");
+ }
var changingPasswordModel = new ChangingPasswordModel
{
Id = intId.Result,
OldPassword = contentItem.Password.OldPassword,
NewPassword = contentItem.Password.NewPassword,
- CurrentUsername = currentUser.Username,
- SavingUserId = foundMember.Id,
- SavingUsername = foundMember.Username,
- CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Members)
- };
+ };
Attempt passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _memberManager);
diff --git a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
index 61103a692d..7ad12ecd65 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
@@ -708,8 +708,18 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers
}
IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser;
- changingPasswordModel.CurrentUserHasSectionAccess = currentUser.HasSectionAccess(Constants.Applications.Users);
- changingPasswordModel.CurrentUsername = currentUser.Username;
+
+ // if it's the current user, the current user cannot reset their own password
+ if (currentUser.Username == found.Username)
+ {
+ return new ValidationErrorResult("Password reset is not allowed");
+ }
+
+ // if the current user has access to reset/manually change the password
+ if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
+ {
+ return new ValidationErrorResult("The current user is not authorized");
+ }
Attempt passwordChangeResult = await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _userManager);
diff --git a/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs b/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs
index 90785b9a81..99e8a98a32 100644
--- a/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs
+++ b/src/Umbraco.Web.BackOffice/Security/PasswordChanger.cs
@@ -8,8 +8,6 @@ using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Models.Identity;
using Umbraco.Cms.Core.Security;
using Umbraco.Extensions;
-using Constants = Umbraco.Cms.Core.Constants;
-using IUser = Umbraco.Cms.Core.Models.Membership.IUser;
namespace Umbraco.Cms.Web.BackOffice.Security
{
@@ -56,33 +54,21 @@ namespace Umbraco.Cms.Web.BackOffice.Security
return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Cannot set an empty password", new[] { "value" }) });
}
- TUser identityUser = await userMgr.FindByIdAsync(changingPasswordModel.SavingUserId.ToString());
+ var userId = changingPasswordModel.Id.ToString();
+ TUser identityUser = await userMgr.FindByIdAsync(userId);
if (identityUser == null)
{
// this really shouldn't ever happen... but just in case
return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password could not be verified", new[] { "oldPassword" }) });
}
- // Are we just changing another user's password?
+ // Are we just changing another user/member's password?
if (changingPasswordModel.OldPassword.IsNullOrWhiteSpace())
{
- //// if it's the current user, the current user cannot reset their own password
- //// For members, this should not happen
- //if (changingPasswordModel.CurrentUsername == changingPasswordModel.SavingUsername)
- //{
- // return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("Password reset is not allowed", new[] { "value" }) });
- //}
-
- //// if the current user has access to reset/manually change the password
- //if (currentUser.HasSectionAccess(Constants.Applications.Users) == false)
- //{
- // return Attempt.Fail(new PasswordChangedModel { ChangeError = new ValidationResult("The current user is not authorized", new[] { "value" }) });
- //}
-
// ok, we should be able to reset it
string resetToken = await userMgr.GeneratePasswordResetTokenAsync(identityUser);
- IdentityResult resetResult = await userMgr.ChangePasswordWithResetAsync(changingPasswordModel.SavingUserId.ToString(), resetToken, changingPasswordModel.NewPassword);
+ IdentityResult resetResult = await userMgr.ChangePasswordWithResetAsync(userId, resetToken, changingPasswordModel.NewPassword);
if (resetResult.Succeeded == false)
{