From f885b33c56d8ffe7f3216dfd2a74ff5beebc62a8 Mon Sep 17 00:00:00 2001
From: Markus Klein <markus.klein@typo3.org>
Date: Fri, 21 Apr 2017 22:29:43 +0200
Subject: [PATCH] [BUGFIX] Do not ask for current password if admin

Hide the field for the current password, if the current user is
admin anyway. If the admin changes the password for someone else
he/she doesn't know the current password of this person anyway.

Besides that, a password can always be changed without providing
a current password by an admin using the BE users module.

Resolves: #80951
Releases: master, 8.7, 7.6
Change-Id: Ic9673197e651df5d1fe5886c4b6f6f76a303062f
Reviewed-on: https://review.typo3.org/52552
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
---
 .../Controller/SetupModuleController.php      | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
index 7db44131b2ae..70f9b18f905a 100644
--- a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
+++ b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -31,6 +31,7 @@ use TYPO3\CMS\Core\Messaging\FlashMessageService;
 use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
 
 /**
  * Script class for the Setup module
@@ -266,9 +267,14 @@ class SetupModuleController extends AbstractModule
                 }
                 // Update the password:
                 if ($passwordIsConfirmed) {
-                    $currentPasswordHashed = $GLOBALS['BE_USER']->user['password'];
-                    $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($currentPasswordHashed);
-                    if ($saltFactory->checkPassword($be_user_data['passwordCurrent'], $currentPasswordHashed)) {
+                    if ($this->isAdmin) {
+                        $passwordOk = true;
+                    } else {
+                        $currentPasswordHashed = $GLOBALS['BE_USER']->user['password'];
+                        $saltFactory = SaltFactory::getSaltingInstance($currentPasswordHashed);
+                        $passwordOk = $saltFactory->checkPassword($be_user_data['passwordCurrent'], $currentPasswordHashed);
+                    }
+                    if ($passwordOk) {
                         $this->passwordIsUpdated = self::PASSWORD_UPDATED;
                         $storeRec['be_users'][$beUserId]['password'] = $be_user_data['password'];
                     } else {
@@ -895,6 +901,13 @@ class SetupModuleController extends AbstractModule
     protected function getFieldsFromShowItem()
     {
         $allowedFields = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_USER_SETTINGS']['showitem'], true);
+        // do not ask for current password if admin (unknown for other users and no security gain)
+        if ($this->isAdmin) {
+            $key = array_search('passwordCurrent', $allowedFields);
+            if ($key !== false) {
+                unset($allowedFields[$key]);
+            }
+        }
         if (!is_array($this->tsFieldConf)) {
             return $allowedFields;
         }
-- 
GitLab