From 2fd2e45e428b24f16b7724b7a31d660ba67d2ef1 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 25 Oct 2016 13:05:13 +0200
Subject: [PATCH] Require password confirmation for user management

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../Controller/ChangePasswordController.php   |  1 +
 settings/Controller/GroupsController.php      |  2 +
 settings/Controller/UsersController.php       |  3 +
 settings/ajax/togglegroups.php                |  7 ++
 settings/ajax/togglesubadmins.php             |  7 ++
 settings/js/users/users.js                    | 68 +++++++++++++++----
 6 files changed, 74 insertions(+), 14 deletions(-)

diff --git a/settings/Controller/ChangePasswordController.php b/settings/Controller/ChangePasswordController.php
index e43d0d8f34..832cdbefdb 100644
--- a/settings/Controller/ChangePasswordController.php
+++ b/settings/Controller/ChangePasswordController.php
@@ -131,6 +131,7 @@ class ChangePasswordController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
diff --git a/settings/Controller/GroupsController.php b/settings/Controller/GroupsController.php
index feed45b118..8985a76ec9 100644
--- a/settings/Controller/GroupsController.php
+++ b/settings/Controller/GroupsController.php
@@ -95,6 +95,7 @@ class GroupsController extends Controller {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
@@ -128,6 +129,7 @@ class GroupsController extends Controller {
 	}
 
 	/**
+	 * @PasswordConfirmationRequired
 	 * @param string $id
 	 * @return DataResponse
 	 */
diff --git a/settings/Controller/UsersController.php b/settings/Controller/UsersController.php
index 4c732a94c9..89831a66ab 100644
--- a/settings/Controller/UsersController.php
+++ b/settings/Controller/UsersController.php
@@ -301,6 +301,7 @@ class UsersController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $password
@@ -433,6 +434,7 @@ class UsersController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $id
 	 * @return DataResponse
@@ -616,6 +618,7 @@ class UsersController extends Controller {
 	 *
 	 * @NoAdminRequired
 	 * @NoSubadminRequired
+	 * @PasswordConfirmationRequired
 	 *
 	 * @param string $username
 	 * @param string $displayName
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index ff79861b81..b9958bef0c 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -28,6 +28,13 @@
 OC_JSON::checkSubAdminUser();
 OCP\JSON::callCheck();
 
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $success = true;
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];
diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php
index 390e5c09ef..5658a38241 100644
--- a/settings/ajax/togglesubadmins.php
+++ b/settings/ajax/togglesubadmins.php
@@ -24,6 +24,13 @@
 OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+	$l = \OC::$server->getL10N('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+	exit();
+}
+
 $username = (string)$_POST['username'];
 $group = (string)$_POST['group'];
 
diff --git a/settings/js/users/users.js b/settings/js/users/users.js
index 3a357c0e9c..7f23f2dad3 100644
--- a/settings/js/users/users.js
+++ b/settings/js/users/users.js
@@ -353,6 +353,14 @@ var UserList = {
 		$userListBody.on('click', '.delete', function () {
 			// Call function for handling delete/undo
 			var uid = UserList.getUID(this);
+
+			if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+				OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+					UserDeleteHandler.mark(uid);
+				});
+				return;
+			}
+
 			UserDeleteHandler.mark(uid);
 		});
 
@@ -405,6 +413,11 @@ var UserList = {
 	},
 
 	applyGroupSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);
 
 		var checkHandler = null;
@@ -467,6 +480,11 @@ var UserList = {
 	},
 
 	applySubadminSelect: function (element, user, checked) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(_.bind(this.applySubadminSelect, this, arguments));
+			return;
+		}
+
 		var $element = $(element);
 		var checkHandler = function (group) {
 			if (group === 'admin') {
@@ -478,7 +496,10 @@ var UserList = {
 					username: user,
 					group: group
 				},
-				function () {
+				function (response) {
+					if (response.data.message) {
+						OC.Notification.show(response.data.message);
+					}
 				}
 			);
 		};
@@ -635,6 +656,27 @@ $(document).ready(function () {
 	// TODO: move other init calls inside of initialize
 	UserList.initialize($('#userlist'));
 
+	var _submitPasswordChange = function(uid, password, recoveryPasswordVal) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitPasswordChange(uid, password, recoveryPasswordVal);
+			});
+			return;
+		}
+
+		$.post(
+			OC.generateUrl('/settings/users/changepassword'),
+			{username: uid, password: password, recoveryPassword: recoveryPasswordVal},
+			function (result) {
+				if (result.status === 'success') {
+					OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
+				} else {
+					OC.Notification.showTemporary(t('admin', result.data.message));
+				}
+			}
+		);
+	};
+
 	$userListBody.on('click', '.password', function (event) {
 		event.stopPropagation();
 
@@ -657,17 +699,7 @@ $(document).ready(function () {
 				if (event.keyCode === 13) {
 					if ($(this).val().length > 0) {
 						var recoveryPasswordVal = $('input:password[id="recoveryPassword"]').val();
-						$.post(
-							OC.generateUrl('/settings/users/changepassword'),
-							{username: uid, password: $(this).val(), recoveryPassword: recoveryPasswordVal},
-							function (result) {
-								if (result.status === 'success') {
-									OC.Notification.showTemporary(t('admin', 'Password successfully changed'));
-								} else {
-									OC.Notification.showTemporary(t('admin', result.data.message));
-								}
-							}
-						);
+						_submitPasswordChange(uid, $(this).val(), recoveryPasswordVal);
 						$input.blur();
 					} else {
 						$input.blur();
@@ -796,7 +828,14 @@ $(document).ready(function () {
 	});
 
 	UserList._updateGroupListLabel($('#newuser .groups'), []);
-	$('#newuser').submit(function (event) {
+	var _submitNewUserForm = function (event) {
+		if (OC.PasswordConfirmation.requiresPasswordConfirmation()) {
+			OC.PasswordConfirmation.requirePasswordConfirmation(function() {
+				_submitNewUserForm(event);
+			});
+			return;
+		}
+
 		event.preventDefault();
 		var username = $('#newusername').val();
 		var password = $('#newuserpassword').val();
@@ -866,7 +905,8 @@ $(document).ready(function () {
 					$('#newuser').get(0).reset();
 				});
 		});
-	});
+	}
+	$('#newuser').submit(_submitNewUserForm);
 
 	if ($('#CheckboxStorageLocation').is(':checked')) {
 		$("#userlist .storageLocation").show();