diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs index 6691a025e4..7f4f5bf014 100644 --- a/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs +++ b/src/Umbraco.Web/umbraco.presentation/umbraco/controls/passwordChanger.ascx.cs @@ -38,9 +38,12 @@ namespace umbraco.controls var umbProvider = Provider as MembershipProviderBase; if (umbProvider != null && umbProvider.AllowManuallyChangingPassword) { - return false; + _showOldPassword = false; + } + else + { + _showOldPassword = Provider.EnablePasswordRetrieval == false; } - _showOldPassword = Provider.EnablePasswordRetrieval == false; } return _showOldPassword.Value; } diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs index 95ff0e9ab3..5c96675d99 100644 --- a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs +++ b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs @@ -158,15 +158,7 @@ namespace umbraco.cms.presentation.user // Add password changer var passwordChanger = (passwordChanger) LoadControl(SystemDirectories.Umbraco + "/controls/passwordChanger.ascx"); passwordChanger.MembershipProviderName = UmbracoSettings.DefaultBackofficeProvider; - - //This is a hack to allow the admin to change a user's password to whatever they want - this will only work if we are using the - // default umbraco membership provider. - // See the notes below in the ChangePassword method. - if (BackOfficeProvider is UsersMembershipProvider) - { - passwordChanger.ShowOldPassword = false; - } - + //Add a custom validation message for the password changer var passwordValidation = new CustomValidator { @@ -425,21 +417,7 @@ namespace umbraco.cms.presentation.user } var changePasswordModel = passwordChangerControl.ChangingPasswordModel; - - // Is it using the default membership provider - if (BackOfficeProvider is UsersMembershipProvider) - { - //This is a total hack so that an admin can change the password without knowing the previous one - // we do this by simply passing in the already stored hashed/encrypted password in the database - - // this shouldn't be allowed but to maintain backwards compatibility we need to do this because - // this logic was previously allowed. - - //For this editor, we set the passwordChanger.ShowOldPassword = false so that the old password - // field doesn't appear because we know we are going to manually set it here. - // We'll change the model to have the already encrypted password stored in the db and that will continue to validate. - changePasswordModel.OldPassword = u.Password; - } - + //now do the actual change var changePassResult = UmbracoContext.Current.Security.ChangePassword( membershipUser.UserName, changePasswordModel, BackOfficeProvider); diff --git a/src/umbraco.providers/UsersMembershipProvider.cs b/src/umbraco.providers/UsersMembershipProvider.cs index 1794ed26a3..faf20e85be 100644 --- a/src/umbraco.providers/UsersMembershipProvider.cs +++ b/src/umbraco.providers/UsersMembershipProvider.cs @@ -42,7 +42,15 @@ namespace umbraco.providers { get { return true; } } - + + /// + /// For backwards compatibility, this provider supports this option + /// + public override bool AllowManuallyChangingPassword + { + get { return true; } + } + public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config) { if (config == null) throw new ArgumentNullException("config"); @@ -68,35 +76,31 @@ namespace umbraco.providers /// protected override bool PerformChangePassword(string username, string oldPassword, string newPassword) { + //NOTE: due to backwards compatibilty reasons (and UX reasons), this provider doesn't care about the old password and + // allows simply setting the password manually so we don't really care about the old password. + // This is allowed based on the overridden AllowManuallyChangingPassword option. + var args = new ValidatePasswordEventArgs(username, newPassword, false); + OnValidatingPassword(args); - if (ApplicationContext.Current.IsConfigured == false && oldPassword == "default" - || ValidateUser(username, oldPassword)) + if (args.Cancel) { - var args = new ValidatePasswordEventArgs(username, newPassword, false); - OnValidatingPassword(args); + if (args.FailureInformation != null) + throw args.FailureInformation; + throw new MembershipPasswordException("Change password canceled due to password validation failure."); + } - if (args.Cancel) - { - if (args.FailureInformation != null) - throw args.FailureInformation; - throw new MembershipPasswordException("Change password canceled due to password validation failure."); - } + var user = new User(username); + //encrypt/hash the new one + string salt; + var encodedPassword = EncryptOrHashNewPassword(newPassword, out salt); - var user = new User(username); - //encrypt/hash the new one - string salt; - var encodedPassword = EncryptOrHashNewPassword(newPassword, out salt); + //Yes, it's true, this actually makes a db call to set the password + user.Password = FormatPasswordForStorage(encodedPassword, salt); + //call this just for fun. + user.Save(); - //Yes, it's true, this actually makes a db call to set the password - user.Password = FormatPasswordForStorage(encodedPassword, salt); - //call this just for fun. - user.Save(); - - return true; - } - - return false; + return true; }