Fix bug to allow staff members to recover their passwords even if user system is disabled.

2019-11-08 19:42:02 -03:00 · 2019-11-08 19:42:02 -03:00 · 1c4bd7df17
parent e12857392b
commit 1c4bd7df17
3 changed files with 36 additions and 6 deletions
--- a/server/controllers/user/recover-password.php
+++ b/server/controllers/user/recover-password.php
@ -56,10 +56,6 @@ class RecoverPasswordController extends Controller {
    }

    public function handler() {
-        if(!Controller::isUserSystemEnabled()) {
-            throw new RequestException(ERRORS::USER_SYSTEM_DISABLED);
-        }
-
        $this->requestData();
        $this->changePassword();
    }
@ -77,6 +73,10 @@ class RecoverPasswordController extends Controller {
            throw new RequestException(ERRORS::NO_PERMISSION);
        }

+        if(!Controller::isUserSystemEnabled() && !$recoverPassword->staff) {
+            throw new RequestException(ERRORS::USER_SYSTEM_DISABLED);
+        }
+
        if($recoverPassword->staff) {
            $this->user = Staff::getDataStore($this->email, 'email');
        } else {
--- a/server/controllers/user/send-recover-password.php
+++ b/server/controllers/user/send-recover-password.php
@ -49,11 +49,12 @@ class SendRecoverPasswordController extends Controller {
    }

    public function handler() {
-        if(!Controller::isUserSystemEnabled()) {
+        $this->staff = Controller::request('staff');
+
+        if(!Controller::isUserSystemEnabled() && !$this->staff) {
            throw new RequestException(ERRORS::USER_SYSTEM_DISABLED);
        }

-        $this->staff = Controller::request('staff');
        $email = Controller::request('email');

        if($this->staff){
--- a/tests/system/disable-user-system.rb
+++ b/tests/system/disable-user-system.rb
@ -113,7 +113,36 @@ describe'system/disable-user-system' do
            (result['message']).should.equal('SYSTEM_USER_IS_ALREADY_DISABLED')
        end

+        it 'should allow staff members to recover their passwords' do
+            request('/user/logout')
+            result = request('/user/send-recover-password', {
+                email: 'jorah@opensupports.com',
+                staff: true
+            })
+            (result['status']).should.equal('success')
+
+            token = $database.getLastRow('recoverpassword')['token'];
+
+            result = request('/user/recover-password', {
+                email: 'jorah@opensupports.com',
+                password: 's3cur3p455w0rd',
+                token: token
+            })
+            (result['status']).should.equal('success')
+            (result['data']['staff']).should.equal('1')
+
+            result = request('/user/login', {
+                email: 'jorah@opensupports.com',
+                password: 's3cur3p455w0rd',
+                staff: true
+            })
+            (result['status']).should.equal('success')
+            (result['data']['userEmail']).should.equal('jorah@opensupports.com')
+        end
+
        it 'should enable the user system' do
+            request('/user/logout')
+            Scripts.login($staff[:email], $staff[:password], true)
            result = request('/system/enable-user-system', {
                csrf_userid: $csrf_userid,
                csrf_token: $csrf_token,