fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth…

fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth proxy is enabled, fixes #2495, do not allow user to change email or username depending on what property auth proxy is using, fixes #6903

fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth…
fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth proxy is enabled, fixes #2495, do not allow user to change email or username depending on what property auth proxy is using, fixes #6903
8fc6e4cf · Torkel Ödegaard · df562e23 · 8fc6e4cf · 8fc6e4cf · 8fc6e4cf
Commit 8fc6e4cf authored Dec 14, 2016 by Torkel Ödegaard
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 2 deletions

pkg/api/frontendsettings.go
+1 -0

pkg/api/user.go
+12 -0

public/app/features/org/change_password_ctrl.js
+3 -1

public/app/features/org/partials/change_password.html
+8 -1

No files found.
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -139,6 +139,7 @@ func getFrontendSettingsMap(c *middleware.Context) (map[string]interface{}, erro
 		"appSubUrl":         setting.AppSubUrl,
 		"allowOrgCreate":    (setting.AllowUserOrgCreate && c.IsSignedIn) || c.IsGrafanaAdmin,
 		"authProxyEnabled":  setting.AuthProxyEnabled,
+		"ldapEnabled":       setting.LdapEnabled,
 		"buildInfo": map[string]interface{}{
 			"version":       setting.BuildVersion,
 			"commit":        setting.BuildCommit,

--- a/pkg/api/user.go
+++ b/pkg/api/user.go
@@ -30,6 +30,14 @@ func getUserUserProfile(userId int64) Response {

 // POST /api/user
 func UpdateSignedInUser(c *middleware.Context, cmd m.UpdateUserCommand) Response {
+	if setting.AuthProxyEnabled {
+		if setting.AuthProxyHeaderProperty == "email" && cmd.Email != c.Email {
+			return ApiError(400, "Not allowed to change email when auth proxy is using email property", nil)
+		}
+		if setting.AuthProxyHeaderProperty == "username" && cmd.Login != c.Login {
+			return ApiError(400, "Not allowed to change username when auth proxy is using username property", nil)
+		}
+	}
 	cmd.UserId = c.UserId
 	return handleUpdateUser(cmd)
 }
@@ -146,6 +154,10 @@ func ChangeActiveOrgAndRedirectToHome(c *middleware.Context) {
 }

 func ChangeUserPassword(c *middleware.Context, cmd m.ChangeUserPasswordCommand) Response {
+	if setting.LdapEnabled || setting.AuthProxyEnabled {
+		return ApiError(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil)
+	}
+
 	userQuery := m.GetUserByIdQuery{Id: c.UserId}

 	if err := bus.Dispatch(&userQuery); err != nil {

--- a/public/app/features/org/change_password_ctrl.js
+++ b/public/app/features/org/change_password_ctrl.js
@@ -2,7 +2,7 @@ define([
  'angular',
  'app/core/config',
 ],
-function (angular) {
+function (angular, config) {
  'use strict';

  var module = angular.module('grafana.controllers');
@@ -10,6 +10,8 @@ function (angular) {
  module.controller('ChangePasswordCtrl', function($scope, backendSrv, $location) {

    $scope.command = {};
+    $scope.authProxyEnabled = config.authProxyEnabled;
+    $scope.ldapEnabled = config.ldapEnabled;

    $scope.changePassword = function() {
      if (!$scope.userForm.$valid) { return; }

--- a/public/app/features/org/partials/change_password.html
+++ b/public/app/features/org/partials/change_password.html
@@ -6,7 +6,14 @@
 		<h1>Change password</h1>
 	</div>

-	<form name="userForm" class="gf-form-group">
+	<div ng-if="ldapEnabled || authProxyEnabled">
+		You cannot change password when ldap or auth proxy authentication is enabled.
+		<br>
+		<br>
+		<a class="btn-text" href="profile">Back to profile</a>
+	</div>
+
+	<form name="userForm" class="gf-form-group" ng-hide="ldapEnabled || authProxyEnabled">
 		<div class="gf-form">
 			<span class="gf-form-label width-10">Old Password</span>
 			<input class="gf-form-input max-width-21" type="password" required ng-model="command.oldPassword">