Commit ffec795f by Marcus Efraimsson Committed by GitHub

Merge pull request #14232 from SilverFire/security-password-reset

Prevent password reset when login form is disabled or either LDAP or Auth Proxy is enabled
parents 4de28ef8 257802e7
...@@ -4,10 +4,18 @@ import ( ...@@ -4,10 +4,18 @@ import (
"github.com/grafana/grafana/pkg/api/dtos" "github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/bus" "github.com/grafana/grafana/pkg/bus"
m "github.com/grafana/grafana/pkg/models" m "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util" "github.com/grafana/grafana/pkg/util"
) )
func SendResetPasswordEmail(c *m.ReqContext, form dtos.SendResetPasswordEmailForm) Response { func SendResetPasswordEmail(c *m.ReqContext, form dtos.SendResetPasswordEmailForm) Response {
if setting.LdapEnabled || setting.AuthProxyEnabled {
return Error(401, "Not allowed to reset password when LDAP or Auth Proxy is enabled", nil)
}
if setting.DisableLoginForm {
return Error(401, "Not allowed to reset password when login form is disabled", nil)
}
userQuery := m.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail} userQuery := m.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail}
if err := bus.Dispatch(&userQuery); err != nil { if err := bus.Dispatch(&userQuery); err != nil {
......
import coreModule from '../core_module'; import coreModule from '../core_module';
import config from 'app/core/config';
export class ResetPasswordCtrl { export class ResetPasswordCtrl {
/** @ngInject */ /** @ngInject */
...@@ -6,6 +7,9 @@ export class ResetPasswordCtrl { ...@@ -6,6 +7,9 @@ export class ResetPasswordCtrl {
contextSrv.sidemenu = false; contextSrv.sidemenu = false;
$scope.formModel = {}; $scope.formModel = {};
$scope.mode = 'send'; $scope.mode = 'send';
$scope.ldapEnabled = config.ldapEnabled;
$scope.authProxyEnabled = config.authProxyEnabled;
$scope.disableLoginForm = config.disableLoginForm;
const params = $location.search(); const params = $location.search();
if (params.code) { if (params.code) {
......
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
<button type="submit" class="btn btn-large p-x-2 btn-inverse btn-loading" ng-if="loggingIn"> <button type="submit" class="btn btn-large p-x-2 btn-inverse btn-loading" ng-if="loggingIn">
Logging In<span>.</span><span>.</span><span>.</span> Logging In<span>.</span><span>.</span><span>.</span>
</button> </button>
<div class="small login-button-forgot-password"> <div class="small login-button-forgot-password" ng-hide="ldapEnabled || authProxyEnabled">
<a href="user/password/send-reset-email"> <a href="user/password/send-reset-email">
Forgot your password? Forgot your password?
</a> </a>
......
...@@ -3,7 +3,14 @@ ...@@ -3,7 +3,14 @@
<div class="page-container page-body"> <div class="page-container page-body">
<div class="signup"> <div class="signup">
<h3 class="p-b-1">Reset password</h3> <h3 class="p-b-1">Reset password</h3>
<form name="sendResetForm" class="login-form gf-form-group" ng-show="mode === 'send'">
<div ng-if="ldapEnabled || authProxyEnabled">
You cannot reset password when LDAP or Auth Proxy authentication is enabled.
</div>
<div ng-if="disableLoginForm">
You cannot reset password when login form is disabled.
</div>
<form name="sendResetForm" class="login-form gf-form-group" ng-show="mode === 'send'" ng-hide="ldapEnabled || authProxyEnabled || disableLoginForm">
<div class="gf-form"> <div class="gf-form">
<span class="gf-form-label width-7">User</span> <span class="gf-form-label width-7">User</span>
<input type="text" name="username" class="gf-form-input max-width-14" required ng-model='formModel.userOrEmail' placeholder="email or username"> <input type="text" name="username" class="gf-form-input max-width-14" required ng-model='formModel.userOrEmail' placeholder="email or username">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment