lunax/snipe_it
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity Actions

Fixed #13336 - Save unhashed password if no password provided

Browse source 
Signed-off-by: snipe <snipe@snipe.net>
This commit is contained in:
snipe 2023-07-19 17:44:40 +01:00
parent 1e1aea2eb0
commit b54e7dc3ee
6 changed files with 29 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/Console/Commands/LdapSync.php
View file

@ -180,10 +180,6 @@ class LdapSync extends Command
} }
} }
/* Create user account entries in Snipe-IT */
$tmp_pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 20);
$pass = bcrypt($tmp_pass);
$manager_cache = []; $manager_cache = [];
if($ldap_default_group != null) { if($ldap_default_group != null) {
@ -229,7 +225,7 @@ class LdapSync extends Command
} else { } else {
// Creating a new user. // Creating a new user.
$user = new User; $user = new User;
$user->password = $pass; $user->password = $user->noPassword();
$user->activated = 1; // newly created users can log in by default, unless AD's UAC is in use, or an active flag is set (below) $user->activated = 1; // newly created users can log in by default, unless AD's UAC is in use, or an active flag is set (below)
$item['createorupdate'] = 'created'; $item['createorupdate'] = 'created';
} }

8
app/Http/Controllers/Api/UsersController.php
View file

@ -362,7 +362,13 @@ class UsersController extends Controller
$user->permissions = $permissions_array; $user->permissions = $permissions_array;
} }
$tmp_pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 40); //
if ($request->filled('password')) {
$user->password = bcrypt($request->get('password'));
} else {
$user->password = $user->noPassword();
}
$user->password = bcrypt($request->get('password', $tmp_pass)); $user->password = bcrypt($request->get('password', $tmp_pass));
app('App\Http\Requests\ImageUploadRequest')->handleImages($user, 600, 'image', 'avatars', 'avatar'); app('App\Http\Requests\ImageUploadRequest')->handleImages($user, 600, 'image', 'avatars', 'avatar');

2
app/Http/Controllers/Auth/LoginController.php
View file

@ -191,9 +191,11 @@ class LoginController extends Controller
$ldap_attr = Ldap::parseAndMapLdapAttributes($ldap_user); $ldap_attr = Ldap::parseAndMapLdapAttributes($ldap_user);
$user->password = $user->noPassword();
if (Setting::getSettings()->ldap_pw_sync=='1') { if (Setting::getSettings()->ldap_pw_sync=='1') {
$user->password = bcrypt($request->input('password')); $user->password = bcrypt($request->input('password'));
} }
$user->email = $ldap_attr['email']; $user->email = $ldap_attr['email'];
$user->first_name = $ldap_attr['firstname']; $user->first_name = $ldap_attr['firstname'];
$user->last_name = $ldap_attr['lastname']; //FIXME (or TODO?) - do we need to map additional fields that we now support? E.g. country, phone, etc. $user->last_name = $ldap_attr['lastname']; //FIXME (or TODO?) - do we need to map additional fields that we now support? E.g. country, phone, etc.

7
app/Models/Ldap.php
View file

@ -252,13 +252,10 @@ class Ldap extends Model
$user->last_name = $item['lastname']; $user->last_name = $item['lastname'];
$user->username = $item['username']; $user->username = $item['username'];
$user->email = $item['email']; $user->email = $item['email'];
$user->noPassword();
if (Setting::getSettings()->ldap_pw_sync == '1') { if (Setting::getSettings()->ldap_pw_sync == '1') {
$user->password = bcrypt($password); $user->password = bcrypt($password);
} else {
$pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 25);
$user->password = bcrypt($pass);
} }
$user->activated = 1; $user->activated = 1;
@ -268,7 +265,7 @@ class Ldap extends Model
if ($user->save()) { if ($user->save()) {
return $user; return $user;
} else { } else {
LOG::debug('Could not create user.'.$user->getErrors()); \Log::debug('Could not create user.'.$user->getErrors());
throw new Exception('Could not create user: '.$user->getErrors()); throw new Exception('Could not create user: '.$user->getErrors());
} }
} }

3
app/Models/SCIMUser.php
View file

@ -9,8 +9,7 @@ class SCIMUser extends User
protected $throwValidationExceptions = true; // we want model-level validation to fully THROW, not just return false protected $throwValidationExceptions = true; // we want model-level validation to fully THROW, not just return false
public function __construct(array $attributes = []) { public function __construct(array $attributes = []) {
$attributes['password'] = "*NO PASSWORD*";
// $attributes['activated'] = 1;
parent::__construct($attributes); parent::__construct($attributes);
$this->noPassword();
} }
} }

16
app/Models/User.php
View file

@ -465,6 +465,22 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
return $this->belongsToMany(Asset::class, 'checkout_requests', 'user_id', 'requestable_id')->whereNull('canceled_at'); return $this->belongsToMany(Asset::class, 'checkout_requests', 'user_id', 'requestable_id')->whereNull('canceled_at');
} }
/**
* Set a common string when the user has been imported/synced from:
*
* - LDAP without password syncing
* - SCIM
* - CSV import where no password was provided
*
* @author A. Gianotto <snipe@snipe.net>
* @since [v6.2.0]
* @return string
*/
public function noPassword()
{
return "*** NO PASSWORD ***";
}
/** /**
* Query builder scope to return NOT-deleted users * Query builder scope to return NOT-deleted users