Merge pull request #3632 from sirux88/fix-reset-password-check-issue - vw_small

commit 814ce9a6accab598a778d9a5a9512e16d2379812
parent 1bee46f64b42e7f550293dc74b31608207b74a6a
Author: Daniel García <dani-garcia@users.noreply.github.com>
Date:   Tue,  4 Jul 2023 20:55:34 +0200

Merge pull request #3632 from sirux88/fix-reset-password-check-issue

fix missing password check while manual reset password enrollment
Diffstat:
M src/api/core/organizations.rs  | 12 ++++++++++++

1 file changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -2675,6 +2675,7 @@ async fn delete_group_user(
 #[allow(non_snake_case)]
 struct OrganizationUserResetPasswordEnrollmentRequest {
     ResetPasswordKey: Option<String>,
+    MasterPasswordHash: Option<String>,
 }
 
 #[derive(Deserialize)]
@@ -2856,6 +2857,17 @@ async fn put_reset_password_enrollment(
         err!("Reset password can't be withdrawed due to an enterprise policy");
     }
 
+    if reset_request.ResetPasswordKey.is_some() {
+        match reset_request.MasterPasswordHash {
+            Some(password) => {
+                if !headers.user.check_valid_password(&password) {
+                    err!("Invalid or wrong password")
+                }
+            }
+            None => err!("No password provided"),
+        };
+    }
+
     org_user.reset_password_key = reset_request.ResetPasswordKey;
     org_user.save(&mut conn).await?;

	vw_small Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
	git clone https://git.philomathiclife.com/repos/vw_small
	Log \| Files \| Refs \| README