Ask for password before resetting settings

2025-06-05 21:59:27 +02:00 · 2024-04-10 22:34:51 +03:00
parent 2306a4e34d
commit 01a4aa51f7
5 changed files with 27 additions and 2 deletions
--- a/public/scripts/login.js
+++ b/public/scripts/login.js
@ -263,4 +263,13 @@ function configureDiscreetLogin() {
    }
    document.getElementById('shadow_popup').style.opacity = '';
    $('#cancelRecovery').on('click', onCancelRecoveryClick);
    $(document).on('keydown', (evt) => {
        if (evt.key === 'Enter' && document.activeElement.tagName === 'INPUT') {
            if ($('#passwordRecoveryBlock').is(':visible')) {
                $('#sendRecovery').trigger('click');
            } else {
                $('#loginButton').trigger('click');
            }
        }
    });
 })();
--- a/public/scripts/templates/resetSettings.html
+++ b/public/scripts/templates/resetSettings.html
@ -5,4 +5,9 @@
    <div data-i18n="Don't forget to save a snapshot of your settings before proceeding.">
        Don't forget to save a snapshot of your settings before proceeding.
    </div>
    <hr>
    <div>
        Enter your password below to confirm:
    </div>
    <input id="resetSettingsPassword" name="password" type="password" class="text_pole" placeholder="Password">
 </div>
--- a/public/scripts/user.js
+++ b/public/scripts/user.js
@ -364,7 +364,11 @@ async function deleteUser(handle, callback) {
 */
 async function resetSettings(handle, callback) {
    try {
        let password = '';
        const template = $(renderTemplate('resetSettings'));
        template.find('input[name="password"]').on('input', function () {
            password = String($(this).val());
        });
        const result = await callGenericPopup(template, POPUP_TYPE.CONFIRM, '', { okButton: 'Reset', cancelButton: 'Cancel', wide: false, large: false });
        if (result !== POPUP_RESULT.AFFIRMATIVE) {
@ -374,7 +378,7 @@ async function resetSettings(handle, callback) {
        const response = await fetch('/api/users/reset-settings', {
            method: 'POST',
            headers: getRequestHeaders(),
-            body: JSON.stringify({ handle }),
+            body: JSON.stringify({ handle, password }),
        });
        if (!response.ok) {
--- a/src/endpoints/users-admin.js
+++ b/src/endpoints/users-admin.js
@ -157,7 +157,7 @@ router.post('/create', requireAdminMiddleware, jsonParser, async (request, respo
        }
        const handles = await getAllUserHandles();
-        const handle = slugify(request.body.handle, { lower: true, trim: true, remove: /[^a-z0-9-]/g });
+        const handle = slugify(String(request.body.handle).toLowerCase(), { lower: true, trim: true, remove: /[^a-z0-9-]/g });
        if (!handle) {
            console.log('Create user failed: Invalid handle');
--- a/src/endpoints/users-private.js
+++ b/src/endpoints/users-private.js
@ -117,6 +117,13 @@ router.post('/backup', jsonParser, async (request, response) => {
 router.post('/reset-settings', jsonParser, async (request, response) => {
    try {
        const password = request.body.password;
        if (request.user.profile.password && request.user.profile.password !== getPasswordHash(password, request.user.profile.salt)) {
            console.log('Reset settings failed: Incorrect password');
            return response.status(401).json({ error: 'Incorrect password' });
        }
        const pathToFile = path.join(request.user.directories.root, SETTINGS_FILE);
        await fsPromises.rm(pathToFile, { force: true });
        await contentManager.checkForNewContent([request.user.directories], [contentManager.CONTENT_TYPES.SETTINGS]);