llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-05-23 02:35:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: fix MFA + LDAP bug in /check-user-password API (#3681)

Browse Source
This commit is contained in:
WindSpiritSR 2025-03-26 22:11:58 +08:00 committed by GitHub
parent 4bee21f4a3
commit 08f7a05e61
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
controllers/user.go
View File

@ -457,10 +457,10 @@ func (c *ApiController) SetPassword() {
newPassword := c.Ctx.Request.Form.Get("newPassword") newPassword := c.Ctx.Request.Form.Get("newPassword")
code := c.Ctx.Request.Form.Get("code") code := c.Ctx.Request.Form.Get("code")
//if userOwner == "built-in" && userName == "admin" { // if userOwner == "built-in" && userName == "admin" {
// c.ResponseError(c.T("auth:Unauthorized operation")) // c.ResponseError(c.T("auth:Unauthorized operation"))
// return // return
//} // }
if strings.Contains(newPassword, " ") { if strings.Contains(newPassword, " ") {
c.ResponseError(c.T("user:New password cannot contain blank space.")) c.ResponseError(c.T("user:New password cannot contain blank space."))
@ -602,7 +602,11 @@ func (c *ApiController) CheckUserPassword() {
return return
} }
_, err = object.CheckUserPassword(user.Owner, user.Name, user.Password, c.GetAcceptLanguage()) /*
* Verified password with user as subject, if field ldap not empty,
* then `isPasswordWithLdapEnabled` is true
*/
_, err = object.CheckUserPassword(user.Owner, user.Name, user.Password, c.GetAcceptLanguage(), false, false, user.Ldap != "")
if err != nil { if err != nil {
c.ResponseError(err.Error()) c.ResponseError(err.Error())
} else { } else {