/**
* Changes the password of a user
*
* @param Request $rfi
* @return array
* @throws ForbiddenAccessException
*/
public static function apiChangePassword(Request $r)
{
if (OMEGAUP_LOCKDOWN) {
throw new ForbiddenAccessException('lockdown');
}
self::authenticateRequest($r);
$hashedPassword = null;
if (isset($r['username']) && (!is_null(self::$permissionKey) && self::$permissionKey == $r['permission_key'] || Authorization::IsSystemAdmin($r['current_user_id']))) {
// System admin can force reset passwords for any user
Validators::isStringNonEmpty($r['username'], 'username');
try {
$user = UsersDAO::FindByUsername($r['username']);
if (is_null($user)) {
throw new NotFoundException('userNotExist');
}
} catch (Exception $e) {
throw new InvalidDatabaseOperationException($e);
}
if (isset($r['password']) && $r['password'] != '') {
SecurityTools::testStrongPassword($r['password']);
$hashedPassword = SecurityTools::hashString($r['password']);
}
} else {
$user = $r['current_user'];
if ($user->getPassword() != null) {
// Check the old password
Validators::isStringNonEmpty($r['old_password'], 'old_password');
$old_password_valid = SecurityTools::compareHashedStrings($r['old_password'], $user->getPassword());
if ($old_password_valid === false) {
throw new InvalidParameterException('parameterInvalid', 'old_password');
}
}
SecurityTools::testStrongPassword($r['password']);
$hashedPassword = SecurityTools::hashString($r['password']);
}
$user->setPassword($hashedPassword);
UsersDAO::save($user);
return array('status' => 'ok');
}
