diff options
Diffstat (limited to 'app/controllers/user_settings/passwords_controller.rb')
-rw-r--r-- | app/controllers/user_settings/passwords_controller.rb | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/app/controllers/user_settings/passwords_controller.rb b/app/controllers/user_settings/passwords_controller.rb new file mode 100644 index 00000000000..d68ddf90d49 --- /dev/null +++ b/app/controllers/user_settings/passwords_controller.rb @@ -0,0 +1,103 @@ +# frozen_string_literal: true + +module UserSettings + class PasswordsController < ApplicationController + include Gitlab::Tracking::Helpers::WeakPasswordErrorEvent + + skip_before_action :check_password_expiration, only: [:new, :create] + skip_before_action :check_two_factor_requirement, only: [:new, :create] + + before_action :set_user + before_action :authorize_change_password! + + layout :determine_layout + + feature_category :system_access + + def new; end + + def create + unless @user.password_automatically_set || @user.valid_password?(user_params[:password]) + redirect_to new_user_settings_password_path, alert: _('You must provide a valid current password') + return + end + + result = Users::UpdateService.new(current_user, password_attributes.merge(user: @user)).execute + + if result[:status] == :success + Users::UpdateService.new(current_user, user: @user, password_expires_at: nil).execute + + redirect_to root_path, notice: _('Password successfully changed') + else + track_weak_password_error(@user, self.class.name, 'create') + render :new + end + end + + def edit; end + + def update + unless @user.password_automatically_set || @user.valid_password?(user_params[:password]) + handle_invalid_current_password_attempt! + + redirect_to edit_user_settings_password_path, alert: _('You must provide a valid current password') + return + end + + result = Users::UpdateService.new(current_user, password_attributes.merge(user: @user)).execute + + if result[:status] == :success + flash[:notice] = _('Password was successfully updated. Please sign in again.') + redirect_to new_user_session_path + else + track_weak_password_error(@user, self.class.name, 'update') + @user.reset + render 'edit' + end + end + + def reset + current_user.send_reset_password_instructions + redirect_to edit_user_settings_password_path, notice: _('We sent you an email with reset password instructions') + end + + private + + def set_user + @user = current_user + end + + def determine_layout + if [:new, :create].include?(action_name.to_sym) + 'application' + else + 'profile' + end + end + + def authorize_change_password! + render_404 unless @user.allow_password_authentication? + end + + def handle_invalid_current_password_attempt! + Gitlab::AppLogger.info(message: 'Invalid current password when attempting to update user password', + username: @user.username, ip: request.remote_ip) + + @user.increment_failed_attempts! + end + + def user_params + params.require(:user).permit(:password, :new_password, :password_confirmation) + end + + def password_attributes + { + password: user_params[:new_password], + password_confirmation: user_params[:password_confirmation], + password_automatically_set: false + } + end + end +end + +UserSettings::PasswordsController.prepend_mod |