From 54eb886e5e6942401d541c5796a967357972fcac Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Wed, 12 Feb 2020 16:43:15 +0800
Subject: [PATCH] fix: verify old password if it's defined

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/apiserver/iam/im.go | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/pkg/apiserver/iam/im.go b/pkg/apiserver/iam/im.go
index d7ecb7e06..f7bea7ed7 100644
--- a/pkg/apiserver/iam/im.go
+++ b/pkg/apiserver/iam/im.go
@@ -150,14 +150,21 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 			resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 			return
 		}
-		if !isUserManager {
-			_, err = iam.Login(usernameInHeader, user.CurrentPassword, "")
-		}
-		if err != nil {
-			err = fmt.Errorf("incorrect current password")
-			klog.Info(err)
-			resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
-			return
+
+		// user manager can modify password without verify old password
+		// if the old password is defined must be verified
+		if !isUserManager || user.CurrentPassword != "" {
+			if _, err = iam.Login(usernameInHeader, user.CurrentPassword, ""); err != nil {
+				if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
+					err = fmt.Errorf("incorrect current password")
+					klog.V(4).Info(err)
+					resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
+				} else {
+					klog.Errorln(err)
+					resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
+				}
+				return
+			}
 		}
 	}