new: [API] exposed change_pw function to the API, fixes #4256

app/Controller/Component/RestResponseComponent.php

@@ -243,6 +243,10 @@ class RestResponseComponent extends Component
                 'description' => "POST a body and a subject in a JSON to send an e-mail through MISP to the user ID given in the URL",
                 'mandatory' => array('subject', 'body')
             ),
+            'change_pw' => array(
+                'description' => "POST a password via a JSON object containing the password key to reset the given user\'s password.",
+                'mandatory' => array('password')
+            ),
             'statistics' => array(
                 'description' => 'Simply GET the url endpoint to view the API output of the statistics API. Additional statistics are available via the following tab-options similar to the UI: data, orgs, users, tags, attributehistogram, sightings, attackMatrix',
                 'params' => array('tab'),

app/Controller/UsersController.php

@@ -173,37 +173,63 @@ class UsersController extends AppController
             'recursive' => -1
         ));
         if ($this->request->is('post') || $this->request->is('put')) {
+            if (!isset($this->request->data['User'])) {
+                $this->request->data = array('User' => $this->request->data);
+            }
             $abortPost = false;
             if (Configure::read('Security.require_password_confirmation')) {
                 if (!empty($this->request->data['User']['current_password'])) {
                     $hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
                     if (!$hashed) {
+                        $message = __('Invalid password. Please enter your current password to continue.');
+                        if ($this->_isRest()) {
+                            return $this->RestResponse->saveFailResponse('Users', 'change_pw', false, $message, $this->response->type());
+                        }
                         $abortPost = true;
-                        $this->Flash->error('Invalid password. Please enter your current password to continue.');
+                        $this->Flash->error($message);
                     }
                     unset($this->request->data['User']['current_password']);
-                } else {
+                } else if (!$this->_isRest()) {
+                    $message = __('Please enter your current password to continue.');
+                    if ($this->_isRest()) {
+                        return $this->RestResponse->saveFailResponse('Users', 'change_pw', false, $message, $this->response->type());
+                    }
                     $abortPost = true;
-                    $this->Flash->info('Please enter your current password to continue.');
+                    $this->Flash->info($message);
                 }
             }
             if (!$abortPost) {
                 // What fields should be saved (allowed to be saved)
                 $user['User']['change_pw'] = 0;
                 $user['User']['password'] = $this->request->data['User']['password'];
-                $user['User']['confirm_password'] = $this->request->data['User']['confirm_password'];
+                if ($this->_isRest()) {
+                    $user['User']['confirm_password'] = $this->request->data['User']['password'];
+                } else {
+                    $user['User']['confirm_password'] = $this->request->data['User']['confirm_password'];
+                }
                 $temp = $user['User']['password'];
                 // Save the data
                 if ($this->User->save($user)) {
-                    $this->Flash->success(__('Password Changed.'));
-                    $this->_refreshAuth();
+                    $message = __('Password Changed.');
                     $this->__extralog("change_pw");
+                    if ($this->_isRest()) {
+                        return $this->RestResponse->saveSuccessResponse('User', 'change_pw', false, $this->response->type(), $message);
+                    }
+                    $this->Flash->success($message);
+                    $this->_refreshAuth();
                     $this->redirect(array('action' => 'view', $id));
                 } else {
-                    $this->Flash->error(__('The password could not be updated. Make sure you meet the minimum password length / complexity requirements.'));
+                    $message = __('The password could not be updated. Make sure you meet the minimum password length / complexity requirements.');
+                    if ($this->_isRest()) {
+                        return $this->RestResponse->saveFailResponse('Users', 'change_pw', false, $message, $this->response->type());
+                    }
+                    $this->Flash->error($message);
                 }
             }
         }
+        if ($this->_isRest()) {
+            return $this->RestResponse->describe('Users', 'change_pw', false, $this->response->type());
+        }
         $this->loadModel('Server');
         $this->set('complexity', !empty(Configure::read('Security.password_policy_complexity')) ? Configure::read('Security.password_policy_complexity') : $this->Server->serverSettings['Security']['password_policy_complexity']['value']);
         $this->set('length', !empty(Configure::read('Security.password_policy_length')) ? Configure::read('Security.password_policy_length') : $this->Server->serverSettings['Security']['password_policy_length']['value']);
@@ -1256,7 +1282,7 @@ class UsersController extends AppController
         } elseif ($action == 'edit') {
             $description = "User (" . $this->User->id . "): " . $this->data['User']['email'];
         } elseif ($action == 'change_pw') {
-            $description = "User (" . $this->User->id . "): " . $this->data['User']['email'];
+            $description = "User (" . $this->User->id . "): " . $this->Auth->user('email');
             $fieldsResult = "Password changed.";
         }