fix(core): Require current password on password change (#285)
Increase security by requiring the current password when changing the password. This increases the security for cases such as XSS, or just a forgotten browser window left open. Fixes #4140pull/287/head
parent
03d8ed5e92
commit
2300fe8aab
|
@ -662,6 +662,8 @@
|
|||
password: &password];
|
||||
|
||||
newPassword = [message objectForKey: @"newPassword"];
|
||||
// overwrite the value from the session to compare the actual input
|
||||
password = [message objectForKey: @"oldPassword"];
|
||||
|
||||
um = [SOGoUserManager sharedUserManager];
|
||||
|
||||
|
|
|
@ -238,6 +238,7 @@
|
|||
"Additional Parameters" = "Additional Parameters";
|
||||
|
||||
/* password */
|
||||
"Current password" = "Current password";
|
||||
"New password" = "New password";
|
||||
"Confirmation" = "Confirmation";
|
||||
"Change" = "Change";
|
||||
|
|
|
@ -233,6 +233,7 @@
|
|||
"Additional Parameters" = "Zusätzliche Einstellungen";
|
||||
|
||||
/* password */
|
||||
"Current password" = "Aktuelles Passwort";
|
||||
"New password" = "Neues Passwort";
|
||||
"Confirmation" = "Bestätigung";
|
||||
"Change" = "Ändern";
|
||||
|
|
|
@ -262,16 +262,21 @@
|
|||
label:label="Password">
|
||||
<md-content id="passwordView" class="md-padding">
|
||||
<div layout="row">
|
||||
<md-input-container class="md-block" flex="50">
|
||||
<label><var:string label:value="Current password"/>
|
||||
</label>
|
||||
<input type="password" sg-no-dirty-check="true" ng-model="app.passwords.oldPassword"/>
|
||||
</md-input-container>
|
||||
<md-input-container class="md-block" flex="50">
|
||||
<label><var:string label:value="New password"/>
|
||||
</label>
|
||||
<input type="password" sg-no-dirty-check="true" ng-model="app.passwords.newPassword"/>
|
||||
<input type="password" sg-no-dirty-check="true" ng-model="app.passwords.newPassword"/>
|
||||
</md-input-container>
|
||||
|
||||
<md-input-container class="md-block" flex="50">
|
||||
<label><var:string label:value="Confirmation"/>
|
||||
</label>
|
||||
<input type="password" sg-no-dirty-check="true" ng-model="app.passwords.newPasswordConfirmation"/>
|
||||
<input type="password" sg-no-dirty-check="true" ng-model="app.passwords.newPasswordConfirmation"/>
|
||||
</md-input-container>
|
||||
</div>
|
||||
<div layout="row" layout-align="end center">
|
||||
|
|
|
@ -139,7 +139,7 @@
|
|||
return d.promise;
|
||||
}, // login: function(data) { ...
|
||||
|
||||
changePassword: function(newPassword) {
|
||||
changePassword: function(newPassword, oldPassword) {
|
||||
var d = $q.defer(),
|
||||
xsrfCookie = $cookies.get('XSRF-TOKEN');
|
||||
|
||||
|
@ -151,7 +151,7 @@
|
|||
headers: {
|
||||
'X-XSRF-TOKEN' : xsrfCookie
|
||||
},
|
||||
data: { newPassword: newPassword }
|
||||
data: { newPassword: newPassword, oldPassword: oldPassword }
|
||||
}).then(d.resolve, function(response) {
|
||||
var error,
|
||||
data = response.data,
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
this.$onInit = function() {
|
||||
this.preferences = Preferences;
|
||||
this.passwords = { newPassword: null, newPasswordConfirmation: null };
|
||||
this.passwords = { newPassword: null, newPasswordConfirmation: null, oldPassword: null };
|
||||
this.timeZonesList = $window.timeZonesList;
|
||||
this.timeZonesSearchText = '';
|
||||
this.sieveVariablesCapability = ($window.sieveCapabilities.indexOf('variables') >= 0);
|
||||
|
@ -465,14 +465,15 @@
|
|||
this.canChangePassword = function() {
|
||||
if (this.passwords.newPassword && this.passwords.newPassword.length > 0 &&
|
||||
this.passwords.newPasswordConfirmation && this.passwords.newPasswordConfirmation.length &&
|
||||
this.passwords.newPassword == this.passwords.newPasswordConfirmation)
|
||||
this.passwords.newPassword == this.passwords.newPasswordConfirmation &&
|
||||
this.passwords.oldPassword && this.passwords.oldPassword.length > 0)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
};
|
||||
|
||||
this.changePassword = function() {
|
||||
Authentication.changePassword(this.passwords.newPassword).then(function() {
|
||||
Authentication.changePassword(this.passwords.newPassword, this.passwords.oldPassword).then(function() {
|
||||
var alert = $mdDialog.alert({
|
||||
title: l('Password'),
|
||||
content: l('The password was changed successfully.'),
|
||||
|
|
Loading…
Reference in New Issue