amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-05-11 22:45:26 +00:00
Code Issues Projects Releases Wiki Activity

fix(core): Require current password on password change (#285)

Browse Source 
Increase security by requiring the current password when changing the
password. This increases the security for cases such as XSS, or just a
forgotten browser window left open.

Fixes #4140
This commit is contained in:
Nicolas
2020-07-27 16:12:22 +02:00
committed by GitHub
parent 03d8ed5e92
commit 2300fe8aab
6 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
UI/WebServerResources/js/Common/Authentication.service.js
+2 -2
View File
@@ -139,7 +139,7 @@
return d.promise;
}, // login: function(data) { ...
changePassword: function(newPassword) {
changePassword: function(newPassword, oldPassword) {
var d = $q.defer(),
xsrfCookie = $cookies.get('XSRF-TOKEN');
@@ -151,7 +151,7 @@
headers: {
'X-XSRF-TOKEN' : xsrfCookie
},
data: { newPassword: newPassword }
data: { newPassword: newPassword, oldPassword: oldPassword }
}).then(d.resolve, function(response) {
var error,
data = response.data,
UI/WebServerResources/js/Preferences/PreferencesController.js
+4 -3
View File
@@ -13,7 +13,7 @@
this.$onInit = function() {
this.preferences = Preferences;
this.passwords = { newPassword: null, newPasswordConfirmation: null };
this.passwords = { newPassword: null, newPasswordConfirmation: null, oldPassword: null };
this.timeZonesList = $window.timeZonesList;
this.timeZonesSearchText = '';
this.sieveVariablesCapability = ($window.sieveCapabilities.indexOf('variables') >= 0);
@@ -465,14 +465,15 @@
this.canChangePassword = function() {
if (this.passwords.newPassword && this.passwords.newPassword.length > 0 &&
this.passwords.newPasswordConfirmation && this.passwords.newPasswordConfirmation.length &&
this.passwords.newPassword == this.passwords.newPasswordConfirmation)
this.passwords.newPassword == this.passwords.newPasswordConfirmation &&
this.passwords.oldPassword && this.passwords.oldPassword.length > 0)
return true;
return false;
};
this.changePassword = function() {
Authentication.changePassword(this.passwords.newPassword).then(function() {
Authentication.changePassword(this.passwords.newPassword, this.passwords.oldPassword).then(function() {
var alert = $mdDialog.alert({
title: l('Password'),
content: l('The password was changed successfully.'),