Commit 8fc6e4cf by Torkel Ödegaard

fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth…

fix(auth proxy, ldap): fixed so users cannot change password when ldap or auth proxy is enabled, fixes #2495, do not allow user to change email or username depending on what property auth proxy is using, fixes #6903
parent df562e23
......@@ -139,6 +139,7 @@ func getFrontendSettingsMap(c *middleware.Context) (map[string]interface{}, erro
"appSubUrl": setting.AppSubUrl,
"allowOrgCreate": (setting.AllowUserOrgCreate && c.IsSignedIn) || c.IsGrafanaAdmin,
"authProxyEnabled": setting.AuthProxyEnabled,
"ldapEnabled": setting.LdapEnabled,
"buildInfo": map[string]interface{}{
"version": setting.BuildVersion,
"commit": setting.BuildCommit,
......
......@@ -30,6 +30,14 @@ func getUserUserProfile(userId int64) Response {
// POST /api/user
func UpdateSignedInUser(c *middleware.Context, cmd m.UpdateUserCommand) Response {
if setting.AuthProxyEnabled {
if setting.AuthProxyHeaderProperty == "email" && cmd.Email != c.Email {
return ApiError(400, "Not allowed to change email when auth proxy is using email property", nil)
}
if setting.AuthProxyHeaderProperty == "username" && cmd.Login != c.Login {
return ApiError(400, "Not allowed to change username when auth proxy is using username property", nil)
}
}
cmd.UserId = c.UserId
return handleUpdateUser(cmd)
}
......@@ -146,6 +154,10 @@ func ChangeActiveOrgAndRedirectToHome(c *middleware.Context) {
}
func ChangeUserPassword(c *middleware.Context, cmd m.ChangeUserPasswordCommand) Response {
if setting.LdapEnabled || setting.AuthProxyEnabled {
return ApiError(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil)
}
userQuery := m.GetUserByIdQuery{Id: c.UserId}
if err := bus.Dispatch(&userQuery); err != nil {
......
......@@ -2,7 +2,7 @@ define([
'angular',
'app/core/config',
],
function (angular) {
function (angular, config) {
'use strict';
var module = angular.module('grafana.controllers');
......@@ -10,6 +10,8 @@ function (angular) {
module.controller('ChangePasswordCtrl', function($scope, backendSrv, $location) {
$scope.command = {};
$scope.authProxyEnabled = config.authProxyEnabled;
$scope.ldapEnabled = config.ldapEnabled;
$scope.changePassword = function() {
if (!$scope.userForm.$valid) { return; }
......
......@@ -6,7 +6,14 @@
<h1>Change password</h1>
</div>
<form name="userForm" class="gf-form-group">
<div ng-if="ldapEnabled || authProxyEnabled">
You cannot change password when ldap or auth proxy authentication is enabled.
<br>
<br>
<a class="btn-text" href="profile">Back to profile</a>
</div>
<form name="userForm" class="gf-form-group" ng-hide="ldapEnabled || authProxyEnabled">
<div class="gf-form">
<span class="gf-form-label width-10">Old Password</span>
<input class="gf-form-input max-width-21" type="password" required ng-model="command.oldPassword">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment