user: admin user can change password of any user without knowing old password

2025-03-30 00:00:12 +01:00 · 2019-10-24 12:44:26 +02:00 · 2019-10-24 12:44:26 +02:00 · bae3bc9046
commit bae3bc9046
parent 2852c4897f
3 changed files with 27 additions and 21 deletions
--- a/routes/user/user_endpoints.go
+++ b/routes/user/user_endpoints.go
@ -183,9 +183,9 @@ func updateUser(c *gin.Context) {
 	// case that the request updates the role of the old user)
 	updatedUser, err := req.updatedUser(callerRole, oldUser)
 	if err != nil {
-		if strings.Contains(err.Error(), "Admin") {
+		if strings.Contains(err.Error(), "Admin") || strings.Contains(err.Error(), "pw not changed") {
 			helper.ForbiddenError(c, err.Error())
-		} else if strings.Contains(err.Error(), "Username") {
+		} else if strings.Contains(err.Error(), "Username") || strings.Contains(err.Error(), "old password") {
 			helper.BadRequestError(c, err.Error())
 		} else { // password encryption failed
 			helper.InternalServerError(c, err.Error())
--- a/routes/user/user_test.go
+++ b/routes/user/user_test.go
@ -455,6 +455,17 @@ func TestModifyAddedUserAsUser(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equalf(t, 400, code, "Response body: \n%v\n", resp)

+	// modify newUser's password with wring old password
+	modRequest = UserRequest{
+		Password:    "5tr0ng_pw!",
+		OldPassword: "wrongoldpassword",
+	}
+	code, resp, err = helper.TestEndpoint(router, token,
+		fmt.Sprintf("/api/users/%v", newUserID), "PUT",
+		helper.KeyModels{"user": modRequest})
+	assert.NoError(t, err)
+	assert.Equalf(t, 403, code, "Response body: \n%v\n", resp)
+
 	// modify newUser's password
 	modRequest = UserRequest{
 		Password:    "5tr0ng_pw!",
@ -512,7 +523,6 @@ func TestInvalidUserUpdate(t *testing.T) {
 	// should result in not found
 	modRequest := UserRequest{
 		Password: "longenough",
-		OldPassword: "wr0ng_Upd@te!",
 	}
 	code, resp, err = helper.TestEndpoint(router, token,
 		fmt.Sprintf("/api/users/%v", newUserID+1), "PUT",
@ -621,10 +631,9 @@ func TestModifyAddedUserAsAdmin(t *testing.T) {
 	err = helper.CompareResponse(resp, helper.KeyModels{"user": newUser})
 	assert.NoError(t, err)

-	// modify newUser's password
+	// modify newUser's password, should work without old password
 	modRequest = UserRequest{
 		Password: "4_g00d_pw!",
-		OldPassword: "mod_4d^2ed_0ser",
 	}
 	code, resp, err = helper.TestEndpoint(router, token,
 		fmt.Sprintf("/api/users/%v", newUserID), "PUT",
--- a/routes/user/user_validators.go
+++ b/routes/user/user_validators.go
@ -49,16 +49,6 @@ func (r *updateUserRequest) validate() error {
 		return errs
 	}

-	if r.Password != "" {
-		// if user wants to change password
-		// old password has to be contained in update request
-		if r.OldPassword == "" {
-			return fmt.Errorf("old password is missing in request")
-		} else {
-			return nil
-		}
-	}
-
 	return nil
 }

@ -98,12 +88,19 @@ func (r *updateUserRequest) updatedUser(role interface{},

 	// If there is a new password then hash it and update it
 	if r.Password != "" {
+		if role != "Admin" { // if requesting user is NOT admin, old password needs to be validated
+
+			if r.OldPassword == "" {
+				return u, fmt.Errorf("old password is missing in request")
+			}
+
 			err := oldUser.validatePassword(r.OldPassword)
 			if err != nil {
 				return u, fmt.Errorf("previous password not correct, pw not changed")
 			}
+		}

-		err = u.setPassword(r.Password)
+		err := u.setPassword(r.Password)
 		if err != nil {
 			return u, fmt.Errorf("unable to encrypt new password")
 		}