feat(api): admin can change password for any user

closes #503
2025-12-20 15:34:17 +01:00 · 2021-06-28 11:42:22 +08:00 · 2021-06-28 11:42:22 +08:00 · 30303a6df3
commit 30303a6df3
parent 2a19399347
2 changed files with 24 additions and 11 deletions
--- a/komga/src/main/kotlin/org/gotson/komga/domain/service/KomgaUserLifecycle.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/domain/service/KomgaUserLifecycle.kt
@ -32,16 +32,12 @@ class KomgaUserLifecycle(
      KomgaPrincipal(it)
    } ?: throw UsernameNotFoundException(username)

-  fun updatePassword(user: UserDetails, newPassword: String, expireSessions: Boolean): UserDetails {
-    userRepository.findByEmailIgnoreCaseOrNull(user.username)?.let { komgaUser ->
-      logger.info { "Changing password for user ${user.username}" }
-      val updatedUser = komgaUser.copy(password = passwordEncoder.encode(newPassword))
-      userRepository.update(updatedUser)
+  fun updatePassword(user: KomgaUser, newPassword: String, expireSessions: Boolean) {
+    logger.info { "Changing password for user ${user.email}" }
+    val updatedUser = user.copy(password = passwordEncoder.encode(newPassword))
+    userRepository.update(updatedUser)

-      if (expireSessions) expireSessions(updatedUser)
-
-      return KomgaPrincipal(updatedUser)
-    } ?: throw UsernameNotFoundException(user.username)
+    if (expireSessions) expireSessions(updatedUser)
  }

  fun countUsers() = userRepository.count()
--- a/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/interfaces/rest/UserController.kt
@ -31,6 +31,7 @@ import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
 import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.security.core.annotation.AuthenticationPrincipal
+import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.web.bind.annotation.DeleteMapping
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PatchMapping
@ -64,12 +65,14 @@ class UserController(

  @PatchMapping("me/password")
  @ResponseStatus(HttpStatus.NO_CONTENT)
-  fun updatePassword(
+  fun updateMyPassword(
    @AuthenticationPrincipal principal: KomgaPrincipal,
    @Valid @RequestBody newPasswordDto: PasswordUpdateDto
  ) {
    if (demo) throw ResponseStatusException(HttpStatus.FORBIDDEN)
-    userLifecycle.updatePassword(principal, newPasswordDto.password, false)
+    userRepository.findByEmailIgnoreCaseOrNull(principal.username)?.let { user ->
+      userLifecycle.updatePassword(user, newPasswordDto.password, false)
+    } ?: throw UsernameNotFoundException(principal.username)
  }

  @GetMapping
@ -118,6 +121,20 @@ class UserController(
    } ?: throw ResponseStatusException(HttpStatus.NOT_FOUND)
  }

+  @PatchMapping("{id}/password")
+  @ResponseStatus(HttpStatus.NO_CONTENT)
+  @PreAuthorize("hasRole('$ROLE_ADMIN') or #principal.user.id == #id")
+  fun updatePassword(
+    @PathVariable id: String,
+    @AuthenticationPrincipal principal: KomgaPrincipal,
+    @Valid @RequestBody newPasswordDto: PasswordUpdateDto
+  ) {
+    if (demo) throw ResponseStatusException(HttpStatus.FORBIDDEN)
+    userRepository.findByIdOrNull(id)?.let { user ->
+      userLifecycle.updatePassword(user, newPasswordDto.password, user.id != principal.user.id)
+    } ?: throw UsernameNotFoundException(principal.username)
+  }
+
  @PatchMapping("{id}/shared-libraries")
  @ResponseStatus(HttpStatus.NO_CONTENT)
  @PreAuthorize("hasRole('$ROLE_ADMIN')")