Skip to content
Snippets Groups Projects
Commit a97f162c authored by Andrej Shadura's avatar Andrej Shadura
Browse files

Mark passwords for SSO-only users as invalid to allow changing them later


Add a new "hash type" for invalid passwords, which is never equal to
normal passwords, but nevertheless can be changed without being known by
the user.

This "invalid" password can only be set by directly setting the password
hash type. When updating the password using update_password method, it will
always be upgrade it to the strongest hash type, sha256crypt.

To allow changing this "invalid" password to a normal one, stop
requiring a non-empty current password in the password change dialog
when changing a password from an "invalid" one. Don’t show the current
password box either, as it is not used anyway in this case, making
it better not to show it to avoid confusion.

Signed-off-by: Andrej Shadura's avatarAndrej Shadura <andrew.shadura@collabora.co.uk>

Gbp-Pq: Topic collabora/sso
Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch
parent d923d228
No related branches found
No related tags found
No related merge requests found
Pipeline #27542 passed
......@@ -217,7 +217,7 @@ class Webui::UserController < Webui::WebuiController
def change_password
# check the valid of the params
unless User.current.password_equals?(params[:password])
unless User.current.password_equals?(params[:password]) || User.current.password_invalid?
errmsg = 'The value of current password does not match your current password. Please enter the password and try again.'
end
if not params[:new_password] == params[:repeat_password]
......
......@@ -23,7 +23,7 @@ class User < ActiveRecord::Base
include ActiveModel::Dirty
include CanRenderModel
PASSWORD_HASH_TYPES = ['md5', 'md5crypt', 'sha256crypt']
PASSWORD_HASH_TYPES = ['md5', 'md5crypt', 'sha256crypt', 'invalid']
STATES = {
'unconfirmed' => 1,
......@@ -131,6 +131,9 @@ class User < ActiveRecord::Base
#
def update_password(pass)
password_will_change!
if password_invalid?
self.password_hash_type = 'sha256crypt'
end
self.password_crypted = hash_string(pass).crypt('os')
self.password_confirmation = hash_string(pass)
self.password = hash_string(pass)
......@@ -311,7 +314,11 @@ class User < ActiveRecord::Base
# This method checks whether the given value equals the password when
# hashed with this user's password hash type. Returns a boolean.
def password_equals?(value)
hash_string(value) == self.password
hash_string(value) == self.password && !password_invalid?
end
def password_invalid?
self.password_hash_type == 'invalid'
end
# Sets the last login time and saves the object. Note: Must currently be
......@@ -1048,6 +1055,8 @@ class User < ActiveRecord::Base
Digest::MD5.hexdigest(value + password_salt)
elsif crypt2index.keys.include?(password_hash_type)
value.crypt("$#{crypt2index[password_hash_type]}$#{password_salt}$").split("$")[3]
else
'invalid'
end
end
......
......@@ -5,10 +5,12 @@
<h2 class="box-header">Change Your Password</h2>
<div class="dialog-content">
<%= form_tag(:action => 'change_password') do %>
<% if !User.current.password_invalid? %>
<p>
<%= label_tag :password, 'Current Password:' %><br/>
<%= text_field_tag :password, nil, :type => 'password', :required => 'true'%>
</p>
<% end %>
<p>
<%= label_tag :new_password, 'New Password:' %><br/>
<%= text_field_tag :new_password, nil, :type => 'password', :autocomplete => 'off', :required => 'true' %>
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment