feat(controller): validate new user password + only allow to change own user password
This commit is contained in:
leandrofars
parent
5b299b993a
commit
51bc89dfb7
|
|
@ -135,16 +135,6 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
userToChangePasswd := mux.Vars(r)["user"]
|
|
||||||
if userToChangePasswd != "" && userToChangePasswd != email {
|
|
||||||
rUser, _ := a.db.FindUser(email)
|
|
||||||
if rUser.Level != db.AdminUser {
|
|
||||||
w.WriteHeader(http.StatusForbidden)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
email = userToChangePasswd
|
|
||||||
}
|
|
||||||
|
|
||||||
var user db.User
|
var user db.User
|
||||||
err = json.NewDecoder(r.Body).Decode(&user)
|
err = json.NewDecoder(r.Body).Decode(&user)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -154,6 +144,12 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
user.Email = email
|
user.Email = email
|
||||||
|
|
||||||
|
if len(user.Password) < 8 {
|
||||||
|
w.WriteHeader(http.StatusBadRequest)
|
||||||
|
w.Write([]byte("Password must be at least 8 characters long"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if err := user.HashPassword(user.Password); err != nil {
|
if err := user.HashPassword(user.Password); err != nil {
|
||||||
w.WriteHeader(http.StatusInternalServerError)
|
w.WriteHeader(http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
|
|
@ -164,6 +160,7 @@ func (a *Api) changePassword(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
w.WriteHeader(http.StatusNoContent)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Api) registerAdminUser(w http.ResponseWriter, r *http.Request) {
|
func (a *Api) registerAdminUser(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user