Merge pull request #13172 from nextcloud/fix-can-change-password-check
fix can change password check in case of encryption is enabled
This commit is contained in:
commit
fe3d8ffc90
|
@ -41,6 +41,7 @@ namespace OC\Settings\Controller;
|
||||||
|
|
||||||
use OC\Accounts\AccountManager;
|
use OC\Accounts\AccountManager;
|
||||||
use OC\AppFramework\Http;
|
use OC\AppFramework\Http;
|
||||||
|
use OC\Encryption\Exceptions\ModuleDoesNotExistsException;
|
||||||
use OC\ForbiddenException;
|
use OC\ForbiddenException;
|
||||||
use OC\Security\IdentityProof\Manager;
|
use OC\Security\IdentityProof\Manager;
|
||||||
use OCA\User_LDAP\User_Proxy;
|
use OCA\User_LDAP\User_Proxy;
|
||||||
|
@ -128,9 +129,9 @@ class UsersController extends Controller {
|
||||||
/**
|
/**
|
||||||
* @NoCSRFRequired
|
* @NoCSRFRequired
|
||||||
* @NoAdminRequired
|
* @NoAdminRequired
|
||||||
*
|
*
|
||||||
* Display users list template
|
* Display users list template
|
||||||
*
|
*
|
||||||
* @return TemplateResponse
|
* @return TemplateResponse
|
||||||
*/
|
*/
|
||||||
public function usersListByGroup() {
|
public function usersListByGroup() {
|
||||||
|
@ -140,9 +141,9 @@ class UsersController extends Controller {
|
||||||
/**
|
/**
|
||||||
* @NoCSRFRequired
|
* @NoCSRFRequired
|
||||||
* @NoAdminRequired
|
* @NoAdminRequired
|
||||||
*
|
*
|
||||||
* Display users list template
|
* Display users list template
|
||||||
*
|
*
|
||||||
* @return TemplateResponse
|
* @return TemplateResponse
|
||||||
*/
|
*/
|
||||||
public function usersList() {
|
public function usersList() {
|
||||||
|
@ -150,7 +151,7 @@ class UsersController extends Controller {
|
||||||
$uid = $user->getUID();
|
$uid = $user->getUID();
|
||||||
|
|
||||||
\OC::$server->getNavigationManager()->setActiveEntry('core_users');
|
\OC::$server->getNavigationManager()->setActiveEntry('core_users');
|
||||||
|
|
||||||
/* SORT OPTION: SORT_USERCOUNT or SORT_GROUPNAME */
|
/* SORT OPTION: SORT_USERCOUNT or SORT_GROUPNAME */
|
||||||
$sortGroupsBy = \OC\Group\MetaData::SORT_USERCOUNT;
|
$sortGroupsBy = \OC\Group\MetaData::SORT_USERCOUNT;
|
||||||
$isLDAPUsed = false;
|
$isLDAPUsed = false;
|
||||||
|
@ -166,22 +167,17 @@ class UsersController extends Controller {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ENCRYPTION CONFIG */
|
$canChangePassword = $this->canAdminChangeUserPasswords();
|
||||||
$isEncryptionEnabled = $this->encryptionManager->isEnabled();
|
|
||||||
$useMasterKey = $this->config->getAppValue('encryption', 'useMasterKey', true);
|
/* GROUPS */
|
||||||
// If masterKey enabled, then you can change password. This is to avoid data loss!
|
|
||||||
$canChangePassword = ($isEncryptionEnabled && $useMasterKey) || $useMasterKey;
|
|
||||||
|
|
||||||
|
|
||||||
/* GROUPS */
|
|
||||||
$groupsInfo = new \OC\Group\MetaData(
|
$groupsInfo = new \OC\Group\MetaData(
|
||||||
$uid,
|
$uid,
|
||||||
$this->isAdmin,
|
$this->isAdmin,
|
||||||
$this->groupManager,
|
$this->groupManager,
|
||||||
$this->userSession
|
$this->userSession
|
||||||
);
|
);
|
||||||
|
|
||||||
$groupsInfo->setSorting($sortGroupsBy);
|
$groupsInfo->setSorting($sortGroupsBy);
|
||||||
list($adminGroup, $groups) = $groupsInfo->get();
|
list($adminGroup, $groups) = $groupsInfo->get();
|
||||||
|
|
||||||
|
@ -190,7 +186,7 @@ class UsersController extends Controller {
|
||||||
return $ldapFound || $backend instanceof User_Proxy;
|
return $ldapFound || $backend instanceof User_Proxy;
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->isAdmin) {
|
if ($this->isAdmin) {
|
||||||
$disabledUsers = $isLDAPUsed ? -1 : $this->userManager->countDisabledUsers();
|
$disabledUsers = $isLDAPUsed ? -1 : $this->userManager->countDisabledUsers();
|
||||||
$userCount = $isLDAPUsed ? 0 : array_reduce($this->userManager->countUsers(), function($v, $w) {
|
$userCount = $isLDAPUsed ? 0 : array_reduce($this->userManager->countUsers(), function($v, $w) {
|
||||||
|
@ -221,7 +217,7 @@ class UsersController extends Controller {
|
||||||
'name' => 'Disabled users',
|
'name' => 'Disabled users',
|
||||||
'usercount' => $disabledUsers
|
'usercount' => $disabledUsers
|
||||||
];
|
];
|
||||||
|
|
||||||
/* QUOTAS PRESETS */
|
/* QUOTAS PRESETS */
|
||||||
$quotaPreset = $this->config->getAppValue('files', 'quota_preset', '1 GB, 5 GB, 10 GB');
|
$quotaPreset = $this->config->getAppValue('files', 'quota_preset', '1 GB, 5 GB, 10 GB');
|
||||||
$quotaPreset = explode(',', $quotaPreset);
|
$quotaPreset = explode(',', $quotaPreset);
|
||||||
|
@ -230,12 +226,12 @@ class UsersController extends Controller {
|
||||||
}
|
}
|
||||||
$quotaPreset = array_diff($quotaPreset, array('default', 'none'));
|
$quotaPreset = array_diff($quotaPreset, array('default', 'none'));
|
||||||
$defaultQuota = $this->config->getAppValue('files', 'default_quota', 'none');
|
$defaultQuota = $this->config->getAppValue('files', 'default_quota', 'none');
|
||||||
|
|
||||||
\OC::$server->getEventDispatcher()->dispatch('OC\Settings\Users::loadAdditionalScripts');
|
\OC::$server->getEventDispatcher()->dispatch('OC\Settings\Users::loadAdditionalScripts');
|
||||||
|
|
||||||
/* LANGUAGES */
|
/* LANGUAGES */
|
||||||
$languages = $this->l10nFactory->getLanguages();
|
$languages = $this->l10nFactory->getLanguages();
|
||||||
|
|
||||||
/* FINAL DATA */
|
/* FINAL DATA */
|
||||||
$serverData = array();
|
$serverData = array();
|
||||||
// groups
|
// groups
|
||||||
|
@ -254,6 +250,38 @@ class UsersController extends Controller {
|
||||||
return new TemplateResponse('settings', 'settings-vue', ['serverData' => $serverData]);
|
return new TemplateResponse('settings', 'settings-vue', ['serverData' => $serverData]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* check if the admin can change the users password
|
||||||
|
*
|
||||||
|
* The admin can change the passwords if:
|
||||||
|
*
|
||||||
|
* - no encryption module is loaded and encryption is disabled
|
||||||
|
* - encryption module is loaded but it doesn't require per user keys
|
||||||
|
*
|
||||||
|
* The admin can not change the passwords if:
|
||||||
|
*
|
||||||
|
* - an encryption module is loaded and it uses per-user keys
|
||||||
|
* - encryption is enabled but no encryption modules are loaded
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
protected function canAdminChangeUserPasswords() {
|
||||||
|
$isEncryptionEnabled = $this->encryptionManager->isEnabled();
|
||||||
|
try {
|
||||||
|
$noUserSpecificEncryptionKeys =!$this->encryptionManager->getEncryptionModule()->needDetailedAccessList();
|
||||||
|
$isEncryptionModuleLoaded = true;
|
||||||
|
} catch (ModuleDoesNotExistsException $e) {
|
||||||
|
$noUserSpecificEncryptionKeys = true;
|
||||||
|
$isEncryptionModuleLoaded = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$canChangePassword = ($isEncryptionEnabled && $isEncryptionModuleLoaded && $noUserSpecificEncryptionKeys)
|
||||||
|
|| (!$isEncryptionEnabled && !$isEncryptionModuleLoaded)
|
||||||
|
|| (!$isEncryptionEnabled && $isEncryptionModuleLoaded && $noUserSpecificEncryptionKeys);
|
||||||
|
|
||||||
|
return $canChangePassword;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @NoAdminRequired
|
* @NoAdminRequired
|
||||||
* @NoSubadminRequired
|
* @NoSubadminRequired
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
namespace Tests\Settings\Controller;
|
namespace Tests\Settings\Controller;
|
||||||
|
|
||||||
use OC\Accounts\AccountManager;
|
use OC\Accounts\AccountManager;
|
||||||
|
use OC\Encryption\Exceptions\ModuleDoesNotExistsException;
|
||||||
use OC\Group\Group;
|
use OC\Group\Group;
|
||||||
use OC\Group\Manager;
|
use OC\Group\Manager;
|
||||||
use OC\Settings\Controller\UsersController;
|
use OC\Settings\Controller\UsersController;
|
||||||
|
@ -98,7 +99,7 @@ class UsersControllerTest extends \Test\TestCase {
|
||||||
$this->securityManager = $this->getMockBuilder(\OC\Security\IdentityProof\Manager::class)->disableOriginalConstructor()->getMock();
|
$this->securityManager = $this->getMockBuilder(\OC\Security\IdentityProof\Manager::class)->disableOriginalConstructor()->getMock();
|
||||||
$this->jobList = $this->createMock(IJobList::class);
|
$this->jobList = $this->createMock(IJobList::class);
|
||||||
$this->encryptionManager = $this->createMock(IManager::class);
|
$this->encryptionManager = $this->createMock(IManager::class);
|
||||||
|
|
||||||
$this->l->method('t')
|
$this->l->method('t')
|
||||||
->will($this->returnCallback(function ($text, $parameters = []) {
|
->will($this->returnCallback(function ($text, $parameters = []) {
|
||||||
return vsprintf($text, $parameters);
|
return vsprintf($text, $parameters);
|
||||||
|
@ -513,4 +514,49 @@ class UsersControllerTest extends \Test\TestCase {
|
||||||
$this->assertSame(Http::STATUS_BAD_REQUEST, $result->getStatus());
|
$this->assertSame(Http::STATUS_BAD_REQUEST, $result->getStatus());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider dataTestCanAdminChangeUserPasswords
|
||||||
|
*
|
||||||
|
* @param bool $encryptionEnabled
|
||||||
|
* @param bool $encryptionModuleLoaded
|
||||||
|
* @param bool $masterKeyEnabled
|
||||||
|
* @param bool $expected
|
||||||
|
*/
|
||||||
|
public function testCanAdminChangeUserPasswords($encryptionEnabled,
|
||||||
|
$encryptionModuleLoaded,
|
||||||
|
$masterKeyEnabled,
|
||||||
|
$expected) {
|
||||||
|
$controller = $this->getController();
|
||||||
|
|
||||||
|
$this->encryptionManager->expects($this->any())
|
||||||
|
->method('isEnabled')
|
||||||
|
->willReturn($encryptionEnabled);
|
||||||
|
$this->encryptionManager->expects($this->any())
|
||||||
|
->method('getEncryptionModule')
|
||||||
|
->willReturnCallback(function() use ($encryptionModuleLoaded) {
|
||||||
|
if ($encryptionModuleLoaded) return $this->encryptionModule;
|
||||||
|
else throw new ModuleDoesNotExistsException();
|
||||||
|
});
|
||||||
|
$this->encryptionModule->expects($this->any())
|
||||||
|
->method('needDetailedAccessList')
|
||||||
|
->willReturn(!$masterKeyEnabled);
|
||||||
|
|
||||||
|
$result = $this->invokePrivate($controller, 'canAdminChangeUserPasswords', []);
|
||||||
|
$this->assertSame($expected, $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function dataTestCanAdminChangeUserPasswords() {
|
||||||
|
return [
|
||||||
|
// encryptionEnabled, encryptionModuleLoaded, masterKeyEnabled, expectedResult
|
||||||
|
[true, true, true, true],
|
||||||
|
[false, true, true, true],
|
||||||
|
[true, false, true, false],
|
||||||
|
[false, false, true, true],
|
||||||
|
[true, true, false, false],
|
||||||
|
[false, true, false, false],
|
||||||
|
[true, false, false, false],
|
||||||
|
[false, false, false, true],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue