[GitHub] nitin-maharana commented on a change in pull request #2574: [CLOUDSTACK-5235] ask users old password when they are executing a password update

[GitBox]

nitin-maharana commented on a change in pull request #2574: [CLOUDSTACK-5235] 
ask users old password when they are executing a password update
URL: https://github.com/apache/cloudstack/pull/2574#discussion_r182030109
 
 

 ##########
 File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
 ##########
 @@ -1153,157 +1152,246 @@ public UserVO createUser(String userName, String 
password, String firstName, Str
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = 
"creating User")
-    public UserVO createUser(String userName, String password, String 
firstName, String lastName, String email, String timeZone, String accountName, 
Long domainId,
-            String userUUID) {
+    public UserVO createUser(String userName, String password, String 
firstName, String lastName, String email, String timeZone, String accountName, 
Long domainId, String userUUID) {
 
         return createUser(userName, password, firstName, lastName, email, 
timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
     }
 
     @Override
-    @ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = 
"updating User")
-    public UserAccount updateUser(Long userId, String firstName, String 
lastName, String email, String userName, String password, String apiKey, String 
secretKey,
-            String timeZone) {
-        // Input validation
-        UserVO user = _userDao.getUser(userId);
+    @ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = 
"Updating User")
+    public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
+        UserVO user = retrieveAndValidateUser(updateUserCmd);
+        s_logger.debug("Updating user with Id: " + user.getUuid());
 
-        if (user == null) {
-            throw new InvalidParameterValueException("unable to find user by 
id");
-        }
+        validateAndUpdatApiAndSecretKeyIfNeeded(updateUserCmd, user);
+        Account account = retrieveAndValidateAccount(user);
 
-        if ((apiKey == null && secretKey != null) || (apiKey != null && 
secretKey == null)) {
-            throw new InvalidParameterValueException("Please provide an 
userApiKey/userSecretKey pair");
-        }
+        validateAndUpdateFirstNameIfNeeded(updateUserCmd, user);
+        validateAndUpdateLastNameIfNeeded(updateUserCmd, user);
+        validateAndUpdateUsernameIfNeeded(updateUserCmd, user, account);
 
-        // If the account is an admin type, return an error. We do not allow 
this
-        Account account = _accountDao.findById(user.getAccountId());
-        if (account == null) {
-            throw new InvalidParameterValueException("unable to find user 
account " + user.getAccountId());
+        validateUserPasswordAndUpdateIfNeeded(updateUserCmd.getPassword(), 
user, updateUserCmd.getOldPassword());
+        String email = updateUserCmd.getEmail();
+        if (StringUtils.isNotBlank(email)) {
+            user.setEmail(email);
         }
-
-        // don't allow updating project account
-        if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
-            throw new InvalidParameterValueException("unable to find user by 
id");
+        String timezone = updateUserCmd.getTimezone();
+        if (StringUtils.isNotBlank(timezone)) {
+            user.setTimezone(timezone);
+        }
+        _userDao.update(user.getId(), user);
+        return _userAccountDao.findById(user.getId());
+    }
+
+    /**
+     * Updates the password in the user POJO if needed. If no password is 
provided, then the password is not updated.
+     * The following validations are executed if 'password' is not null. 
Admins (root admins or domain admins) can execute password updates without 
entering the old password.
+     * <ul>
+     *  <li> If 'password' is blank, we throw an {@link 
InvalidParameterValueException};
+     *  <li> If old password is not provided and user is not an Admin, we 
throw an {@link InvalidParameterValueException};
+     *  <li> If a normal user is calling this method, we use {@link 
#validateOldPassword(UserVO, String)} to check if the provided old password 
matches the database one;
+     * </ul>
+     *
+     * If all checks pass, we encode the given password with the most 
preferable password mechanism given in {@link #_userPasswordEncoders}.
+     */
+    protected void validateUserPasswordAndUpdateIfNeeded(String password, 
UserVO user, String oldPassword) {
 
 Review comment:
   I think newPassword name would be more meaningful.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services