2020-06-29 19:14:34 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"net/http"
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
"github.com/dustin/go-humanize/english"
|
2020-06-29 19:14:34 +00:00
|
|
|
"github.com/gin-gonic/gin"
|
2022-09-28 07:01:17 +00:00
|
|
|
|
2020-06-29 19:14:34 +00:00
|
|
|
"github.com/photoprism/photoprism/internal/acl"
|
|
|
|
|
"github.com/photoprism/photoprism/internal/entity"
|
2022-09-28 07:01:17 +00:00
|
|
|
"github.com/photoprism/photoprism/internal/event"
|
2020-06-29 19:14:34 +00:00
|
|
|
"github.com/photoprism/photoprism/internal/form"
|
2020-07-07 08:51:55 +00:00
|
|
|
"github.com/photoprism/photoprism/internal/i18n"
|
2020-06-30 06:50:44 +00:00
|
|
|
"github.com/photoprism/photoprism/internal/service"
|
2022-09-28 07:01:17 +00:00
|
|
|
"github.com/photoprism/photoprism/pkg/clean"
|
2020-06-29 19:14:34 +00:00
|
|
|
)
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// ChangePassword changes the password of the currently authenticated user.
|
|
|
|
|
//
|
2020-06-29 19:14:34 +00:00
|
|
|
// PUT /api/v1/users/:uid/password
|
|
|
|
|
func ChangePassword(router *gin.RouterGroup) {
|
|
|
|
|
router.PUT("/users/:uid/password", func(c *gin.Context) {
|
2020-06-30 06:50:44 +00:00
|
|
|
conf := service.Config()
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// You cannot change any passwords without authentication and settings enabled.
|
2020-12-18 12:05:48 +00:00
|
|
|
if conf.Public() || conf.DisableSettings() {
|
2020-07-07 08:51:55 +00:00
|
|
|
Abort(c, http.StatusForbidden, i18n.ErrPublic)
|
2020-06-30 06:50:44 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// Get session.
|
|
|
|
|
s := Auth(c, acl.ResourcePassword, acl.ActionUpdate)
|
2020-06-29 19:14:34 +00:00
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
if s.Abort(c) {
|
2020-06-29 19:14:34 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
uid := clean.UID(c.Param("uid"))
|
2020-10-03 11:50:30 +00:00
|
|
|
m := entity.FindUserByUID(uid)
|
2020-06-29 19:14:34 +00:00
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// Users may only change their own password.
|
|
|
|
|
if s.User().UserUID != m.UserUID {
|
|
|
|
|
AbortForbidden(c)
|
2021-08-12 18:19:46 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-29 19:14:34 +00:00
|
|
|
if m == nil {
|
2020-07-07 08:51:55 +00:00
|
|
|
Abort(c, http.StatusNotFound, i18n.ErrUserNotFound)
|
2020-06-29 19:14:34 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f := form.ChangePassword{}
|
|
|
|
|
|
|
|
|
|
if err := c.BindJSON(&f); err != nil {
|
2020-07-07 08:51:55 +00:00
|
|
|
Error(c, http.StatusBadRequest, err, i18n.ErrInvalidPassword)
|
2020-06-29 19:14:34 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// Verify that the old password is correct.
|
2020-06-29 19:14:34 +00:00
|
|
|
if m.InvalidPassword(f.OldPassword) {
|
2020-07-07 08:51:55 +00:00
|
|
|
Abort(c, http.StatusBadRequest, i18n.ErrInvalidPassword)
|
2020-06-29 19:14:34 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// Change password.
|
2020-06-29 19:14:34 +00:00
|
|
|
if err := m.SetPassword(f.NewPassword); err != nil {
|
2020-07-07 08:51:55 +00:00
|
|
|
Error(c, http.StatusBadRequest, err, i18n.ErrInvalidPassword)
|
2020-06-29 19:14:34 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 07:01:17 +00:00
|
|
|
// Invalidate all other user sessions to protect the account:
|
|
|
|
|
// https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
|
|
|
|
|
event.AuditInfo([]string{ClientIP(c), "session %s", "password changed", "invalidated %s"}, s.RefID,
|
|
|
|
|
english.Plural(m.DeleteSessions([]string{s.ID}), "session", "sessions"))
|
|
|
|
|
|
2020-07-07 08:51:55 +00:00
|
|
|
c.JSON(http.StatusOK, i18n.NewResponse(http.StatusOK, i18n.MsgPasswordChanged))
|
2020-06-29 19:14:34 +00:00
|
|
|
})
|
|
|
|
|
}
|
