[NEW] Added setting to disable password changes for users who log in using SSO (#10391)

Co-authored-by: Pierre <pierre.lehnen@rocket.chat>

[NEW] Added setting to disable password changes for users who log in using SSO (#10391)
cd870dd0 · Pierre H. Lehnen · GitHub · b695e202 · cd870dd0 · cd870dd0
Unverified Commit cd870dd0 authored 4 years ago by Pierre H. Lehnen Committed by GitHub 4 years ago
--- a/app/lib/server/startup/settings.js
+++ b/app/lib/server/startup/settings.js
@@ -61,6 +61,10 @@ settings.addGroup('Accounts', function() {
 		type: 'boolean',
 		public: true,
 	});
+	this.add('Accounts_AllowPasswordChangeForOAuthUsers', true, {
+		type: 'boolean',
+		public: true,
+	});
 	this.add('Accounts_AllowEmailNotifications', true, {
 		type: 'boolean',
 		public: true,

--- a/client/account/AccountProfilePage.js
+++ b/client/account/AccountProfilePage.js
@@ -55,13 +55,18 @@ const AccountProfilePage = () => {
 	const allowUserStatusMessageChange = useSetting('Accounts_AllowUserStatusMessageChange');
 	const allowUsernameChange = useSetting('Accounts_AllowUsernameChange');
 	const allowEmailChange = useSetting('Accounts_AllowEmailChange');
-	const allowPasswordChange = useSetting('Accounts_AllowPasswordChange');
+	let allowPasswordChange = useSetting('Accounts_AllowPasswordChange');
+	const allowOAuthPasswordChange = useSetting('Accounts_AllowPasswordChangeForOAuthUsers');
 	const allowUserAvatarChange = useSetting('Accounts_AllowUserAvatarChange');
 	const allowDeleteOwnAccount = useSetting('Accounts_AllowDeleteOwnAccount');
 	const ldapEnabled = useSetting('LDAP_Enable');
 	const requireName = useSetting('Accounts_RequireNameForSignUp');
 	const namesRegexSetting = useSetting('UTF8_Names_Validation');

+	if (allowPasswordChange && !allowOAuthPasswordChange) {
+		allowPasswordChange = Boolean(user?.services?.password?.bcrypt);
+	}
+
 	const namesRegex = useMemo(() => new RegExp(`^${ namesRegexSetting }$`), [namesRegexSetting]);

 	const canChangeUsername = allowUsernameChange && !ldapEnabled;

--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -42,6 +42,7 @@
  "Accounts_AllowEmailChange": "Allow Email Change",
  "Accounts_AllowEmailNotifications": "Allow Email Notifications",
  "Accounts_AllowPasswordChange": "Allow Password Change",
+  "Accounts_AllowPasswordChangeForOAuthUsers": "Allow Password Change for OAuth Users",
  "Accounts_AllowRealNameChange": "Allow Name Change",
  "Accounts_AllowUserAvatarChange": "Allow User Avatar Change",
  "Accounts_AllowUsernameChange": "Allow Username Change",

--- a/server/methods/saveUserProfile.js
+++ b/server/methods/saveUserProfile.js
@@ -74,31 +74,34 @@ Meteor.methods({
 			Meteor.call('setEmail', settings.email);
 		}

-		// Should be the last check to prevent error when trying to check password for users without password
-		if (settings.newPassword && rcSettings.get('Accounts_AllowPasswordChange') === true) {
-			if (!compareUserPassword(user, { sha256: settings.typedPassword })) {
-				throw new Meteor.Error('error-invalid-password', 'Invalid password', {
-					method: 'saveUserProfile',
+		const canChangePasswordForOAuth = rcSettings.get('Accounts_AllowPasswordChangeForOAuthUsers');
+		if (canChangePasswordForOAuth || user.services?.password) {
+			// Should be the last check to prevent error when trying to check password for users without password
+			if (settings.newPassword && rcSettings.get('Accounts_AllowPasswordChange') === true) {
+				if (!compareUserPassword(user, { sha256: settings.typedPassword })) {
+					throw new Meteor.Error('error-invalid-password', 'Invalid password', {
+						method: 'saveUserProfile',
+					});
+				}
+
+				// don't let user change to same password
+				if (compareUserPassword(user, { plain: settings.newPassword })) {
+					throw new Meteor.Error('error-password-same-as-current', 'Entered password same as current password', {
+						method: 'saveUserProfile',
+					});
+				}
+
+				passwordPolicy.validate(settings.newPassword);
+
+				Accounts.setPassword(this.userId, settings.newPassword, {
+					logout: false,
 				});
-			}
-
-			// don't let user change to same password
-			if (compareUserPassword(user, { plain: settings.newPassword })) {
-				throw new Meteor.Error('error-password-same-as-current', 'Entered password same as current password', {
-					method: 'saveUserProfile',
-				});
-			}
-
-			passwordPolicy.validate(settings.newPassword);
-
-			Accounts.setPassword(this.userId, settings.newPassword, {
-				logout: false,
-			});

-			try {
-				Meteor.call('removeOtherTokens');
-			} catch (e) {
-				Accounts._clearAllLoginTokens(this.userId);
+				try {
+					Meteor.call('removeOtherTokens');
+				} catch (e) {
+					Accounts._clearAllLoginTokens(this.userId);
+				}
 			}
 		}


--- a/server/methods/sendForgotPasswordEmail.js
+++ b/server/methods/sendForgotPasswordEmail.js
@@ -3,6 +3,7 @@ import { check } from 'meteor/check';
 import { Accounts } from 'meteor/accounts-base';

 import { Users } from '../../app/models';
+import { settings } from '../../app/settings/server';

 Meteor.methods({
 	sendForgotPasswordEmail(to) {
@@ -16,6 +17,12 @@ Meteor.methods({
 			return false;
 		}

+		if (user.services && !user.services.password) {
+			if (!settings.get('Accounts_AllowPasswordChangeForOAuthUsers')) {
+				return false;
+			}
+		}
+
 		try {
 			return !!Accounts.sendResetPasswordEmail(user._id, email);
 		} catch (error) {