[BUGFIX] Do not ask for current password if admin 56/52556/2
authorMarkus Klein <markus.klein@typo3.org>
Fri, 21 Apr 2017 20:29:43 +0000 (22:29 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sat, 22 Apr 2017 09:24:58 +0000 (11:24 +0200)
Hide the field for the current password, if the current user is
admin anyway. If the admin changes the password for someone else
he/she doesn't know the current password of this person anyway.

Besides that, a password can always be changed without providing
a current password by an admin using the BE users module.

Resolves: #80951
Releases: master, 8.7, 7.6
Change-Id: Ic9673197e651df5d1fe5886c4b6f6f76a303062f
Reviewed-on: https://review.typo3.org/52556
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/setup/Classes/Controller/SetupModuleController.php

index 7db4413..70f9b18 100644 (file)
@@ -31,6 +31,7 @@ use TYPO3\CMS\Core\Messaging\FlashMessageService;
 use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
 
 /**
  * Script class for the Setup module
@@ -266,9 +267,14 @@ class SetupModuleController extends AbstractModule
                 }
                 // Update the password:
                 if ($passwordIsConfirmed) {
-                    $currentPasswordHashed = $GLOBALS['BE_USER']->user['password'];
-                    $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($currentPasswordHashed);
-                    if ($saltFactory->checkPassword($be_user_data['passwordCurrent'], $currentPasswordHashed)) {
+                    if ($this->isAdmin) {
+                        $passwordOk = true;
+                    } else {
+                        $currentPasswordHashed = $GLOBALS['BE_USER']->user['password'];
+                        $saltFactory = SaltFactory::getSaltingInstance($currentPasswordHashed);
+                        $passwordOk = $saltFactory->checkPassword($be_user_data['passwordCurrent'], $currentPasswordHashed);
+                    }
+                    if ($passwordOk) {
                         $this->passwordIsUpdated = self::PASSWORD_UPDATED;
                         $storeRec['be_users'][$beUserId]['password'] = $be_user_data['password'];
                     } else {
@@ -895,6 +901,13 @@ class SetupModuleController extends AbstractModule
     protected function getFieldsFromShowItem()
     {
         $allowedFields = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_USER_SETTINGS']['showitem'], true);
+        // do not ask for current password if admin (unknown for other users and no security gain)
+        if ($this->isAdmin) {
+            $key = array_search('passwordCurrent', $allowedFields);
+            if ($key !== false) {
+                unset($allowedFields[$key]);
+            }
+        }
         if (!is_array($this->tsFieldConf)) {
             return $allowedFields;
         }