ouyang/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/develop'

Browse Source 
# Conflicts:
#	app/Http/Controllers/Auth/ResetPasswordController.php
#	config/version.php
This commit is contained in:
snipe
2020-11-03 11:49:34 -08:00
parent 9f4a212b44 12667f41b9
commit 4d003ac97a
26 changed files with 276 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/UsersController.php
+3 -1
View File
@@ -67,7 +67,9 @@ class UsersController extends Controller
if (($request->filled('deleted')) && ($request->input('deleted')=='true')) {
$users = $users->GetDeleted();
$users = $users->onlyTrashed();
} elseif (($request->filled('all')) && ($request->input('deleted')=='true')) {
$users = $users->withTrashed();
}
if ($request->filled('company_id')) {
app/Http/Controllers/Auth/ForgotPasswordController.php
+4 -5
View File
@@ -5,7 +5,6 @@ namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Validator;
class ForgotPasswordController extends Controller
{
@@ -60,7 +59,7 @@ class ForgotPasswordController extends Controller
*/
$request->validate([
'email' => ['required', 'email', 'max:255'],
'username' => ['required', 'max:255'],
]);
@@ -74,16 +73,16 @@ class ForgotPasswordController extends Controller
*/
$response = $this->broker()->sendResetLink(
array_merge(
$request->only('email'),
$request->only('username'),
['activated' => '1'],
['ldap_import' => '0']
)
);
if ($response === \Password::RESET_LINK_SENT) {
\Log::info('Password reset attempt: User '.$request->input('email').' found, password reset sent');
\Log::info('Password reset attempt: User '.$request->input('username').' WAS found, password reset sent');
} else {
\Log::info('Password reset attempt: User '.$request->input('email').' not found or user is inactive');
\Log::info('Password reset attempt: User matching username '.$request->input('username').' NOT FOUND or user is inactive');
}
app/Http/Controllers/Auth/ResetPasswordController.php
+47 -4
View File
@@ -3,9 +3,13 @@
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Http\Requests\SaveUserRequest;
use App\Models\Setting;
use App\Models\User;
use Illuminate\Foundation\Auth\ResetsPasswords;
use Illuminate\Http\Request;
use Illuminate\Validation\Rule;
use Illuminate\Validation\Validator;
class ResetPasswordController extends Controller
{
@@ -29,6 +33,8 @@ class ResetPasswordController extends Controller
*/
protected $redirectTo = '/';
protected $username = 'username';
/**
* Create a new controller instance.
*
@@ -44,7 +50,7 @@ class ResetPasswordController extends Controller
return [
'token' => 'required',
'username' => 'required',
'password' => 'required|confirmed|'.Setting::passwordComplexityRulesSaving('update'),
'password' => 'confirmed|'.Setting::passwordComplexityRulesSaving('store'),
];
}
@@ -55,7 +61,7 @@ class ResetPasswordController extends Controller
'username', 'password', 'password_confirmation', 'token'
);
}
public function showResetForm(Request $request, $token = null)
{
@@ -67,11 +73,48 @@ class ResetPasswordController extends Controller
);
}
public function reset(Request $request)
{
$messages = [
'password.not_in' => trans('validation.disallow_same_pwd_as_user_fields'),
];
$request->validate($this->rules(), $request->all(), $this->validationErrorMessages());
// Check to see if the user even exists
$user = User::where('username', '=', $request->input('username'))->first();
$broker = $this->broker();
if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== FALSE) {
$request->validate(
[
'password' => 'required|notIn:["'.$user->email.'","'.$user->username.'","'.$user->first_name.'","'.$user->last_name.'"'
], $messages);
}
$response = $broker->reset(
$this->credentials($request), function ($user, $password) {
$this->resetPassword($user, $password);
}
);
return $response == \Password::PASSWORD_RESET
? $this->sendResetResponse($request, $response)
: $this->sendResetFailedResponse($request, $response);
}
protected function sendResetFailedResponse(Request $request, $response)
{
return redirect()->back()
->withInput(['username'=> $request->input('username')])
->withErrors(['username' => trans($response)]);
->withErrors(['username' => trans($response), 'password' => trans($response)]);
}
}
}
app/Http/Controllers/ProfileController.php
+22
View File
@@ -156,6 +156,28 @@ class ProfileController extends Controller
if (!Hash::check($request->input('current_password'), $user->password)) {
$validator->errors()->add('current_password', trans('validation.hashed_pass'));
}
// This checks to make sure that the user's password isn't the same as their username,
// email address, first name or last name (see https://github.com/snipe/snipe-it/issues/8661)
// While this is handled via SaveUserRequest form request in other places, we have to do this manually
// here because we don't have the username, etc form fields available in the profile password change
// form.
// There may be a more elegant way to do this in the future.
// First let's see if that option is enabled in the settings
if (strpos(Setting::passwordComplexityRulesSaving('store'), 'disallow_same_pwd_as_user_fields') !== FALSE) {
if (($request->input('password') == $user->username) ||
($request->input('password') == $user->email) ||
($request->input('password') == $user->first_name) ||
($request->input('password') == $user->last_name))
{
$validator->errors()->add('password', trans('validation.disallow_same_pwd_as_user_fields'));
}
}
});
app/Http/Controllers/ViewAssetsController.php
+1 -2
View File
@@ -10,8 +10,7 @@ use App\Models\User;
use App\Notifications\RequestAssetCancelation;
use App\Notifications\RequestAssetNotification;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Input;
use Redirect;
use Illuminate\Http\Request;
/**
* This controller handles all actions related to the ability for users