mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-25 05:34:06 -08:00
Fixed #13336 - Save unhashed password if no password provided
Signed-off-by: snipe <snipe@snipe.net>
This commit is contained in:
parent
1e1aea2eb0
commit
b54e7dc3ee
|
@ -180,10 +180,6 @@ class LdapSync extends Command
|
|||
}
|
||||
}
|
||||
|
||||
/* Create user account entries in Snipe-IT */
|
||||
$tmp_pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 20);
|
||||
$pass = bcrypt($tmp_pass);
|
||||
|
||||
$manager_cache = [];
|
||||
|
||||
if($ldap_default_group != null) {
|
||||
|
@ -229,7 +225,7 @@ class LdapSync extends Command
|
|||
} else {
|
||||
// Creating a new user.
|
||||
$user = new User;
|
||||
$user->password = $pass;
|
||||
$user->password = $user->noPassword();
|
||||
$user->activated = 1; // newly created users can log in by default, unless AD's UAC is in use, or an active flag is set (below)
|
||||
$item['createorupdate'] = 'created';
|
||||
}
|
||||
|
|
|
@ -362,7 +362,13 @@ class UsersController extends Controller
|
|||
$user->permissions = $permissions_array;
|
||||
}
|
||||
|
||||
$tmp_pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 40);
|
||||
//
|
||||
if ($request->filled('password')) {
|
||||
$user->password = bcrypt($request->get('password'));
|
||||
} else {
|
||||
$user->password = $user->noPassword();
|
||||
}
|
||||
|
||||
$user->password = bcrypt($request->get('password', $tmp_pass));
|
||||
|
||||
app('App\Http\Requests\ImageUploadRequest')->handleImages($user, 600, 'image', 'avatars', 'avatar');
|
||||
|
|
|
@ -191,9 +191,11 @@ class LoginController extends Controller
|
|||
|
||||
$ldap_attr = Ldap::parseAndMapLdapAttributes($ldap_user);
|
||||
|
||||
$user->password = $user->noPassword();
|
||||
if (Setting::getSettings()->ldap_pw_sync=='1') {
|
||||
$user->password = bcrypt($request->input('password'));
|
||||
}
|
||||
|
||||
$user->email = $ldap_attr['email'];
|
||||
$user->first_name = $ldap_attr['firstname'];
|
||||
$user->last_name = $ldap_attr['lastname']; //FIXME (or TODO?) - do we need to map additional fields that we now support? E.g. country, phone, etc.
|
||||
|
|
|
@ -252,13 +252,10 @@ class Ldap extends Model
|
|||
$user->last_name = $item['lastname'];
|
||||
$user->username = $item['username'];
|
||||
$user->email = $item['email'];
|
||||
$user->noPassword();
|
||||
|
||||
if (Setting::getSettings()->ldap_pw_sync == '1') {
|
||||
|
||||
$user->password = bcrypt($password);
|
||||
} else {
|
||||
$pass = substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, 25);
|
||||
$user->password = bcrypt($pass);
|
||||
}
|
||||
|
||||
$user->activated = 1;
|
||||
|
@ -268,7 +265,7 @@ class Ldap extends Model
|
|||
if ($user->save()) {
|
||||
return $user;
|
||||
} else {
|
||||
LOG::debug('Could not create user.'.$user->getErrors());
|
||||
\Log::debug('Could not create user.'.$user->getErrors());
|
||||
throw new Exception('Could not create user: '.$user->getErrors());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -9,8 +9,7 @@ class SCIMUser extends User
|
|||
protected $throwValidationExceptions = true; // we want model-level validation to fully THROW, not just return false
|
||||
|
||||
public function __construct(array $attributes = []) {
|
||||
$attributes['password'] = "*NO PASSWORD*";
|
||||
// $attributes['activated'] = 1;
|
||||
parent::__construct($attributes);
|
||||
$this->noPassword();
|
||||
}
|
||||
}
|
|
@ -465,6 +465,22 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
|
|||
return $this->belongsToMany(Asset::class, 'checkout_requests', 'user_id', 'requestable_id')->whereNull('canceled_at');
|
||||
}
|
||||
|
||||
/**
|
||||
* Set a common string when the user has been imported/synced from:
|
||||
*
|
||||
* - LDAP without password syncing
|
||||
* - SCIM
|
||||
* - CSV import where no password was provided
|
||||
*
|
||||
* @author A. Gianotto <snipe@snipe.net>
|
||||
* @since [v6.2.0]
|
||||
* @return string
|
||||
*/
|
||||
public function noPassword()
|
||||
{
|
||||
return "*** NO PASSWORD ***";
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Query builder scope to return NOT-deleted users
|
||||
|
|
Loading…
Reference in a new issue