Example 1 with ChangePasswordRequest
use of org.graylog2.rest.models.users.requests.ChangePasswordRequest in project graylog2-server by Graylog2.
the class UsersResource method changePassword.
@PUT
@Path("{userId}/password")
@ApiOperation("Update the password for a user.")
@ApiResponses({ @ApiResponse(code = 204, message = "The password was successfully updated. Subsequent requests must be made with the new password."), @ApiResponse(code = 400, message = "The new password is missing, or the old password is missing or incorrect."), @ApiResponse(code = 403, message = "The requesting user has insufficient privileges to update the password for the given user."), @ApiResponse(code = 404, message = "User does not exist.") })
@AuditEvent(type = AuditEventTypes.USER_PASSWORD_UPDATE)
public void changePassword(@ApiParam(name = "userId", value = "The id of the user whose password to change.", required = true) @PathParam("userId") String userId, @ApiParam(name = "JSON body", value = "The old and new passwords.", required = true) @Valid ChangePasswordRequest cr) throws ValidationException {
final User user = loadUserById(userId);
final String username = user.getName();
if (!getSubject().isPermitted(RestPermissions.USERS_PASSWORDCHANGE + ":" + username)) {
throw new ForbiddenException("Not allowed to change password for user " + username);
}
if (user.isExternalUser()) {
final String msg = "Cannot change password for external user.";
LOG.error(msg);
throw new ForbiddenException(msg);
}
boolean checkOldPassword = true;
// the rationale is to prevent accidental or malicious change of admin passwords (e.g. to prevent locking out legitimate admins)
if (getSubject().isPermitted(RestPermissions.USERS_PASSWORDCHANGE + ":*")) {
if (username.equals(getSubject().getPrincipal())) {
LOG.debug("User {} is allowed to change the password of any user, but attempts to change own password. Must supply the old password.", getSubject().getPrincipal());
checkOldPassword = true;
} else {
LOG.debug("User {} is allowed to change the password for any user, including {}, ignoring old password", getSubject().getPrincipal(), username);
checkOldPassword = false;
}
}
boolean changeAllowed = false;
if (checkOldPassword) {
if (userManagementService.isUserPassword(user, cr.oldPassword())) {
changeAllowed = true;
}
} else {
changeAllowed = true;
}
if (changeAllowed) {
if (checkOldPassword) {
userManagementService.changePassword(user, cr.oldPassword(), cr.password());
} else {
userManagementService.changePassword(user, cr.password());
}
} else {
throw new BadRequestException("Old password is missing or incorrect.");
}
}
Also used :
ForbiddenException(javax.ws.rs.ForbiddenException)
User(org.graylog2.plugin.database.users.User)
BadRequestException(javax.ws.rs.BadRequestException)
Path(javax.ws.rs.Path)
ApiOperation(io.swagger.annotations.ApiOperation)
AuditEvent(org.graylog2.audit.jersey.AuditEvent)
PUT(javax.ws.rs.PUT)
ApiResponses(io.swagger.annotations.ApiResponses)
Aggregations
ApiOperation (io.swagger.annotations.ApiOperation)1
ApiResponses (io.swagger.annotations.ApiResponses)1
BadRequestException (javax.ws.rs.BadRequestException)1
ForbiddenException (javax.ws.rs.ForbiddenException)1
PUT (javax.ws.rs.PUT)1
Path (javax.ws.rs.Path)1
AuditEvent (org.graylog2.audit.jersey.AuditEvent)1
User (org.graylog2.plugin.database.users.User)1
