feat: prevent forced password reset for passwordless users

Signed-off-by: miguel456 <me@nogueira.codes>
2022-10-21 07:47:03 +01:00 · 2022-10-21 07:47:03 +01:00 · cfdc0eb37b
commit cfdc0eb37b
parent c6bc4da41c
2 changed files with 41 additions and 26 deletions
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@ -358,20 +358,27 @@ class UserController extends Controller
    public function forcePasswordReset(User $user) {

        $this->authorize('adminEdit', $user);
-        $user->notify(new PasswordAdminResetNotification());

-        $user->password = null;
-        $user->save();
+        if (!$user->hasPassword()) {
+            $user->notify(new PasswordAdminResetNotification());
+
+            $user->password = null;
+            $user->save();


-        Log::alert("Removed account password", [
-            'target' => $user,
-            'actor' => Auth::user()
-        ]);
+            Log::alert("Removed account password", [
+                'target' => $user,
+                'actor' => Auth::user()
+            ]);
+
+            return redirect()
+                ->back()
+                ->with('success', __('Account password removed.'));
+        }

        return redirect()
            ->back()
-            ->with('success', 'Account password removed.');
+            ->with('error', __('This user doesn\'t have a password to reset.'));
    }


--- a/resources/views/dashboard/user/manage.blade.php
+++ b/resources/views/dashboard/user/manage.blade.php
@ -43,29 +43,31 @@

    @endif

-    <x-modal id="resetAccountPasswordModal" modal-label="resetAccountPassword" modal-title="{{ __('Verify your identity') }}" include-close-button="true">
+    @if($user->hasPassword())
+        <x-modal id="resetAccountPasswordModal" modal-label="resetAccountPassword" modal-title="{{ __('Verify your identity') }}" include-close-button="true">

-        <p>{{ __('Forcing a password reset will automatically notify the account holder and send them a password reset link. Please confirm this action by verifying your identity below.') }}</p>
+            <p>{{ __('Forcing a password reset will automatically notify the account holder and send them a password reset link. Please confirm this action by verifying your identity below.') }}</p>

-        <form id="resetAccountPasswordForm" method="POST" action="{{ route('force-reset-user', ['user' => $user]) }}">
-            @csrf
-            @method('patch')
+            <form id="resetAccountPasswordForm" method="POST" action="{{ route('force-reset-user', ['user' => $user]) }}">
+                @csrf
+                @method('patch')

-            <x-confirm-password>
-                {{ __('Re-entering your password is required to confirm sensitive administration actions.') }}
-            </x-confirm-password>
+                <x-confirm-password>
+                    {{ __('Re-entering your password is required to confirm sensitive administration actions.') }}
+                </x-confirm-password>

-            <x-confirm-second-factor>
-                {{ __('Two-factor authentication is required to confirm sensitive administration actions.') }}
-            </x-confirm-second-factor>
+                <x-confirm-second-factor>
+                    {{ __('Two-factor authentication is required to confirm sensitive administration actions.') }}
+                </x-confirm-second-factor>

-        </form>
+            </form>

-        <x-slot name="modalFooter">
-            <button onclick="$('#resetAccountPasswordForm').submit()" type="button" class="btn btn-warning"><i class="fas fa-check"></i> {{ __('Re-authenticate and verify') }}</button>
-        </x-slot>
+            <x-slot name="modalFooter">
+                <button onclick="$('#resetAccountPasswordForm').submit()" type="button" class="btn btn-warning"><i class="fas fa-check"></i> {{ __('Re-authenticate and verify') }}</button>
+            </x-slot>

-    </x-modal>
+        </x-modal>
+    @endif

    <x-modal id="banAccountModal" modal-label="banAccount" modal-title="{{__('Please confirm')}}" include-close-button="true">

@ -413,7 +415,7 @@
                        </x-alert>
                    @endif

-                    @if (!$isSuspended)
+                        @if (!$isSuspended)
                            <button onclick="$('#banAccountModal').modal('show')" type="button" class="btn btn-warning mr-3"><i class="fas fa-user-slash"></i> {{ __('Suspend account') }}</button>
                        @else
                            <form class="d-inline" method="post" action="{{ route('unbanUser', ['user' => $user]) }}">
@ -423,7 +425,13 @@
                                <button type="submit" class="btn btn-success mr-2"><i class="fas fa-user"></i> {{ __('Unsuspend account') }}</button>
                            </form>
                        @endif
-                        <button onclick="$('#resetAccountPasswordModal').modal('show')" class="btn-danger btn mr-3" type="button"><i class="fas fa-key"></i> {{ __('Force password reset') }}</button>
+
+                        @if($user->hasPassword())
+                            <button onclick="$('#resetAccountPasswordModal').modal('show')" class="btn-danger btn mr-3" type="button"><i class="fas fa-key"></i> {{ __('Force password reset') }}</button>
+                        @else
+                            <button disabled class="btn-danger btn mr-3" type="button"><i class="fas fa-key"></i> {{ __('Force password reset') }}</button>
+                        @endif
+
                        @if($user->has2FA())
                            <button onclick="$('#resetTwoFactorModal').modal('show')" class="btn-danger btn mr-3" type="button"><i class="fas fa-unlock"></i> {{ __('Reset MFA') }}</button>
                        @endif