Leosac  0.8.0
Open Source Access Control
PasswordChange.cpp
Go to the documentation of this file.
1 /*
2  Copyright (C) 2014-2016 Leosac
3 
4  This file is part of Leosac.
5 
6  Leosac is free software: you can redistribute it and/or modify
7  it under the terms of the GNU Affero General Public License as published by
8  the Free Software Foundation, either version 3 of the License, or
9  (at your option) any later version.
10 
11  Leosac is distributed in the hope that it will be useful,
12  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  GNU Affero General Public License for more details.
15 
16  You should have received a copy of the GNU Affero General Public License
17  along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19 
20 #include "PasswordChange.hpp"
21 #include "Exceptions.hpp"
22 #include "WSServer.hpp"
23 #include "api/APISession.hpp"
25 #include "core/audit/UserEvent.hpp"
26 #include "core/auth/User_odb.h"
29 #include "tools/db/DBService.hpp"
30 
31 using namespace Leosac;
32 using namespace Leosac::Module;
33 using namespace Leosac::Module::WebSockAPI;
34 
36  : MethodHandler(ctx)
37 {
38 }
39 
41 {
42  return std::make_unique<PasswordChange>(ctx);
43 }
44 
46 {
47  json rep;
48 
49  using query = odb::query<Auth::User>;
50  DBPtr db = ctx_.dbsrv->db();
51  odb::transaction t(db->begin());
52  auto uid = req.at("user_id").get<Auth::UserId>();
53  auto new_password = req.at("new_password").get<std::string>();
54 
55  Auth::UserPtr user = db->query_one<Auth::User>(query::id == uid);
56  if (user)
57  {
58  using namespace FlagSetOperator;
60 
61  if (uid == ctx_.session->current_user_id())
62  {
63  auto current_password = req.at("current_password").get<std::string>();
64  // When changing our own password, we check the `current_password` field.
65  if (!user->verify_password(current_password))
66  {
68  audit->finalize();
69  t.commit();
70  throw PermissionDenied("Invalid `current_password`.");
71  }
72  }
73  audit->event_mask(Audit::EventType::USER_EDITED |
75  user->password(new_password);
76 
78  audit->finalize();
79  db->update(user);
80  }
81  else
82  throw EntityNotFound(uid, "user");
83  t.commit();
84  return rep;
85 }
86 
87 std::vector<ActionActionParam>
89 {
90  std::vector<ActionActionParam> perm;
92  uap.user_id = req.at("user_id").get<Auth::UserId>();
93 
94  perm.emplace_back(SecurityContext::Action::USER_CHANGE_PASSWORD, uap);
95  return perm;
96 }
AuditFactory.hpp
Exceptions.hpp
Leosac::Module::WebSockAPI::PasswordChange::required_permission
std::vector< ActionActionParam > required_permission(const json &req) const override
Return a list of "Action" / "ActionParam" that must pass before the request is processed.
Definition: PasswordChange.cpp:88
Leosac::Module::WebSockAPI::PasswordChange::process_impl
virtual json process_impl(const json &req) override
The API method implementation.
Definition: PasswordChange.cpp:45
Leosac::Module::WebSockAPI::RequestContext::dbsrv
DBServicePtr dbsrv
Definition: RequestContext.hpp:39
Leosac::Module::WebSockAPI::PasswordChange::create
static MethodHandlerUPtr create(RequestContext)
Definition: PasswordChange.cpp:40
Leosac::Auth::UserPtr
std::shared_ptr< User > UserPtr
Definition: AuthFwd.hpp:31
Leosac::SecurityContext::UserActionParam
Definition: SecurityContext.hpp:172
Leosac::Module::WebSockAPI::WSServer::clear_user_sessions
void clear_user_sessions(Auth::UserPtr user, APIPtr exception)
Deauthenticate all the connections of user, except the exception APISession.
Definition: WSServer.cpp:410
Leosac::DBPtr
std::shared_ptr< odb::database > DBPtr
Definition: db_fwd.hpp:31
Leosac::Module
All modules that provides features to Leosac shall be in this namespace.
Leosac::EntityNotFound
Definition: EntityNotFound.hpp:27
Leosac::Module::WebSockAPI::MethodHandler
The base class for API method handler implementation.
Definition: MethodHandler.hpp:46
Leosac
This is the header file for a generated source file, GitSHA1.cpp.
Definition: APIStatusCode.hpp:22
PermissionDenied.hpp
Leosac::Module::WebSockAPI::PasswordChange::PasswordChange
PasswordChange(RequestContext ctx)
Definition: PasswordChange.cpp:35
Leosac::Auth::User
Represent a user.
Definition: User.hpp:42
Leosac::Audit::IUserEventPtr
std::shared_ptr< IUserEvent > IUserEventPtr
Definition: AuditFwd.hpp:46
Leosac::Audit::EventType::USER_PASSWORD_CHANGE_FAILURE
@ USER_PASSWORD_CHANGE_FAILURE
An attempt to change the password failed.
Leosac::Module::WebSockAPI::MethodHandler::ctx_
RequestContext ctx_
Definition: MethodHandler.hpp:90
PasswordChange.hpp
Leosac::Audit::EventType::USER_PASSWORD_CHANGED
@ USER_PASSWORD_CHANGED
UserEvent.hpp
WSServer.hpp
Leosac::Module::WebSockAPI::MethodHandlerUPtr
std::unique_ptr< MethodHandler > MethodHandlerUPtr
Definition: WebSockFwd.hpp:36
Leosac::Audit::Factory::UserEvent
static IUserEventPtr UserEvent(const DBPtr &database, Auth::UserPtr target_user, IAuditEntryPtr parent)
Definition: AuditFactory.cpp:43
DBService.hpp
APISession.hpp
Leosac::Audit::EventType::USER_EDITED
@ USER_EDITED
Leosac::Module::WebSockAPI::RequestContext::audit
Audit::IAuditEntryPtr audit
The initial audit trail for the request.
Definition: RequestContext.hpp:55
Leosac::SecurityContext::Action::USER_CHANGE_PASSWORD
@ USER_CHANGE_PASSWORD
Leosac::Module::WebSockAPI::json
nlohmann::json json
Definition: AccessOverview.hpp:30
Leosac::Auth::UserId
unsigned long UserId
Definition: AuthFwd.hpp:34
Leosac::Module::WebSockAPI::RequestContext
Holds valuable pointer to provide context to a request.
Definition: RequestContext.hpp:36
Leosac::Module::WebSockAPI::RequestContext::server
WSServer & server
Definition: RequestContext.hpp:40
Leosac::Module::WebSockAPI
Definition: ActionActionParam.hpp:28
Leosac::SecurityContext::UserActionParam::user_id
Auth::UserId user_id
Definition: SecurityContext.hpp:174
EntityNotFound.hpp
Leosac::Module::WebSockAPI::RequestContext::session
APIPtr session
Definition: RequestContext.hpp:38
PermissionDenied
An exception that can be throw when the permission for a given operation is denied.
Definition: PermissionDenied.hpp:28