Skip to content

Commit 22ed129

Browse files
defelmnqdefelmnq
committed
fix(password): improve logic
1 parent 163631e commit 22ed129

File tree

2 files changed

+22
-2
lines changed

2 files changed

+22
-2
lines changed

coderd/users.go

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1018,6 +1018,7 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
10181018
ctx = r.Context()
10191019
user = httpmw.UserParam(r)
10201020
params codersdk.UpdateUserPasswordRequest
1021+
apiKey = httpmw.APIKey(r)
10211022
auditor = *api.Auditor.Load()
10221023
aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{
10231024
Audit: auditor,
@@ -1045,7 +1046,25 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
10451046
return
10461047
}
10471048

1048-
err := userpassword.Validate(params.Password)
1049+
admin, err := api.Database.GetUserByID(ctx, apiKey.UserID)
1050+
if err != nil {
1051+
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
1052+
Message: "Internal error fetching user.",
1053+
Detail: err.Error(),
1054+
})
1055+
return
1056+
}
1057+
1058+
// only admins or owners can change passwords without sending old_password
1059+
if params.OldPassword == "" && (!slice.Contains(admin.RBACRoles, codersdk.RoleUserAdmin) &&
1060+
!slice.Contains(admin.RBACRoles, codersdk.RoleOwner)) {
1061+
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
1062+
Message: "Old password is required for non-admin users.",
1063+
})
1064+
return
1065+
}
1066+
1067+
err = userpassword.Validate(params.Password)
10491068
if err != nil {
10501069
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
10511070
Message: "Invalid password.",
@@ -1059,7 +1078,6 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
10591078
return
10601079
}
10611080

1062-
// admins can change passwords without sending old_password
10631081
if params.OldPassword != "" {
10641082
// if they send something let's validate it
10651083
ok, err := userpassword.Compare(string(user.HashedPassword), params.OldPassword)

coderd/users_test.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1044,6 +1044,7 @@ func TestUpdateUserPassword(t *testing.T) {
10441044
OrganizationIDs: []uuid.UUID{owner.OrganizationID},
10451045
})
10461046
require.NoError(t, err, "create member")
1047+
10471048
err = client.UpdateUserPassword(ctx, member.ID.String(), codersdk.UpdateUserPasswordRequest{
10481049
Password: "SomeNewStrongPassword!",
10491050
})
@@ -1097,6 +1098,7 @@ func TestUpdateUserPassword(t *testing.T) {
10971098
Password: "newpassword",
10981099
})
10991100
require.Error(t, err, "member should not be able to update own password without providing old password")
1101+
require.ErrorContains(t, err, "Old password is required for non-admin users.")
11001102
})
11011103

11021104
t.Run("AuditorCantTellIfPasswordIncorrect", func(t *testing.T) {

0 commit comments

Comments
 (0)