Require user to provide current password to be able to change it

Admins can change other users' password without providing the current one, but not when changing their own
2021-05-03 15:03:34 -04:00
parent 5808b9fb71
commit 874b17b8f6
9 changed files with 205 additions and 11 deletions
@@ -50,6 +50,7 @@ func (r *userRepository) Put(u *model.User) error {
 	}
 	u.UpdatedAt = time.Now()
 	values, _ := toSqlArgs(*u)
+	delete(values, "current_password")
 	update := Update(r.tableName).Where(Eq{"id": u.ID}).SetMap(values)
 	count, err := r.executeSQL(update)
 	if err != nil {
@@ -153,6 +154,9 @@ func (r *userRepository) Update(entity interface{}, cols ...string) error {
 		u.IsAdmin = false
 		u.UserName = usr.UserName
 	}
+	if err := validatePasswordChange(u, usr); err != nil {
+		return err
+	}
 	err := r.Put(u)
 	if err == model.ErrNotFound {
 		return rest.ErrNotFound
@@ -160,6 +164,28 @@ func (r *userRepository) Update(entity interface{}, cols ...string) error {
 	return err
 }

+func validatePasswordChange(newUser *model.User, logged *model.User) error {
+	err := &rest.ValidationError{Errors: map[string]string{}}
+	if logged.IsAdmin && newUser.ID != logged.ID {
+		return nil
+	}
+	if newUser.NewPassword != "" && newUser.CurrentPassword == "" {
+		err.Errors["currentPassword"] = "ra.validation.required"
+	}
+	if newUser.CurrentPassword != "" {
+		if newUser.NewPassword == "" {
+			err.Errors["password"] = "ra.validation.required"
+		}
+		if newUser.CurrentPassword != logged.Password {
+			err.Errors["currentPassword"] = "ra.validation.passwordDoesNotMatch"
+		}
+	}
+	if len(err.Errors) > 0 {
+		return err
+	}
+	return nil
+}
+
 func (r *userRepository) Delete(id string) error {
 	usr := loggedUser(r.ctx)
 	if !usr.IsAdmin {