[gatein-commits] gatein SVN: r2239 - in portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui: portal and 1 other directory.
do-not-reply at jboss.org
do-not-reply at jboss.org
Sat Mar 13 17:20:24 EST 2010
Author: thomas.heute at jboss.com
Date: 2010-03-13 17:20:23 -0500 (Sat, 13 Mar 2010)
New Revision: 2239
Modified:
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/login/UIResetPassword.java
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalComponentActionListener.java
Log:
GTNPORTAL-880: password recovery may change anyone's password
Fix a potential security hole
Modified: portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/login/UIResetPassword.java
===================================================================
--- portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/login/UIResetPassword.java 2010-03-13 21:24:19 UTC (rev 2238)
+++ portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/login/UIResetPassword.java 2010-03-13 22:20:23 UTC (rev 2239)
@@ -57,6 +57,8 @@
static User user_;
+ private static GateInToken token;
+
public UIResetPassword() throws Exception
{
addUIFormInput(new UIFormStringInput(USER_NAME, USER_NAME, null).setEditable(false));
@@ -74,6 +76,11 @@
getUIStringInput(USER_NAME).setValue(user.getUserName());
}
+ public void setToken(GateInToken token)
+ {
+ UIResetPassword.token = token;
+ }
+
@Override
public void reset()
{
@@ -95,23 +102,33 @@
UIMaskWorkspace uiMaskWorkspace = uiApp.getChildById(UIPortalApplication.UI_MASK_WS_ID);
OrganizationService orgService = uiForm.getApplicationComponent(OrganizationService.class);
uiForm.reset();
- boolean isNew = true;
+ boolean setPassword = true;
if (!newpassword.equals(confirmnewpassword))
{
uiApp.addMessage(new ApplicationMessage("UIResetPassword.msg.password-is-not-match", null));
- isNew = false;
+ setPassword = false;
}
-
- if (isNew)
+
+ // Making sure a token exist
+ if (token == null || token.isExpired())
{
+ uiApp.addMessage(new ApplicationMessage("UIForgetPassword.msg.expration", null));
+ setPassword = false;
+ }
+
+ if (setPassword)
+ {
user_.setPassword(newpassword);
orgService.getUserHandler().saveUser(user_, true);
uiMaskWorkspace.setUIComponent(null);
uiMaskWorkspace.setWindowSize(-1, -1);
uiApp.addMessage(new ApplicationMessage("UIResetPassword.msg.change-password-successfully", null));
+
+ // Should invalidate the token here...
}
event.getRequestContext().addUIComponentToUpdateByAjax(uiMaskWorkspace);
}
}
+
}
Modified: portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalComponentActionListener.java
===================================================================
--- portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalComponentActionListener.java 2010-03-13 21:24:19 UTC (rev 2238)
+++ portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalComponentActionListener.java 2010-03-13 22:20:23 UTC (rev 2239)
@@ -457,6 +457,7 @@
UIResetPassword uiReset = uiMaskWS.createUIComponent(UIResetPassword.class, null, null);
uiReset.setUser(user);
+ uiReset.setToken(token);
uiMaskWS.setUIComponent(uiReset);
uiMaskWS.setWindowSize(630, -1);
event.getRequestContext().addUIComponentToUpdateByAjax(uiMaskWS);
More information about the gatein-commits
mailing list