/** * Changes the password of a user * * @param Request $rfi * @return array * @throws ForbiddenAccessException */ public static function apiChangePassword(Request $r) { if (OMEGAUP_LOCKDOWN) { throw new ForbiddenAccessException('lockdown'); } self::authenticateRequest($r); $hashedPassword = null; if (isset($r['username']) && (!is_null(self::$permissionKey) && self::$permissionKey == $r['permission_key'] || Authorization::IsSystemAdmin($r['current_user_id']))) { // System admin can force reset passwords for any user Validators::isStringNonEmpty($r['username'], 'username'); try { $user = UsersDAO::FindByUsername($r['username']); if (is_null($user)) { throw new NotFoundException('userNotExist'); } } catch (Exception $e) { throw new InvalidDatabaseOperationException($e); } if (isset($r['password']) && $r['password'] != '') { SecurityTools::testStrongPassword($r['password']); $hashedPassword = SecurityTools::hashString($r['password']); } } else { $user = $r['current_user']; if ($user->getPassword() != null) { // Check the old password Validators::isStringNonEmpty($r['old_password'], 'old_password'); $old_password_valid = SecurityTools::compareHashedStrings($r['old_password'], $user->getPassword()); if ($old_password_valid === false) { throw new InvalidParameterException('parameterInvalid', 'old_password'); } } SecurityTools::testStrongPassword($r['password']); $hashedPassword = SecurityTools::hashString($r['password']); } $user->setPassword($hashedPassword); UsersDAO::save($user); return array('status' => 'ok'); }