From f1b0bce6b6c1438e61ff90b948fc2c6686a7854d Mon Sep 17 00:00:00 2001
From: cKey <35512826+colinin@users.noreply.github.com>
Date: Sun, 3 Jul 2022 10:24:12 +0800
Subject: [PATCH] fix: check external login user before changing the password

---
 .../LINGYUN/Abp/Account/AccountAppService.cs     | 15 +++++++++++++--
 .../Abp/Identity/IdentityUserAppService.cs       | 16 ++++++++++++++--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/aspnet-core/modules/account/LINGYUN.Abp.Account.Application/LINGYUN/Abp/Account/AccountAppService.cs b/aspnet-core/modules/account/LINGYUN.Abp.Account.Application/LINGYUN/Abp/Account/AccountAppService.cs
index 897dec411..5b0483eff 100644
--- a/aspnet-core/modules/account/LINGYUN.Abp.Account.Application/LINGYUN/Abp/Account/AccountAppService.cs
+++ b/aspnet-core/modules/account/LINGYUN.Abp.Account.Application/LINGYUN/Abp/Account/AccountAppService.cs
@@ -205,11 +205,17 @@ namespace LINGYUN.Abp.Account
              *               验证通过后,再利用 UserManager.GeneratePasswordResetTokenAsync 接口来生成真正的用于重置密码的Token
             */
 
+            // 传递 isConfirmed 用户必须是已确认过手机号的
+            var user = await GetUserByPhoneNumberAsync(input.PhoneNumber, isConfirmed: true);
+            // 外部认证用户不允许修改密码
+            if (user.IsExternal)
+            {
+                throw new BusinessException(code: Volo.Abp.Identity.IdentityErrorCodes.ExternalUserPasswordChange);
+            }
+
             var securityTokenCacheKey = SmsSecurityTokenCacheItem.CalculateCacheKey(input.PhoneNumber, "SmsVerifyCode");
             var securityTokenCacheItem = await SecurityTokenCache.GetAsync(securityTokenCacheKey);
             var interval = await SettingProvider.GetAsync(IdentitySettingNames.User.SmsRepetInterval, 1);
-            // 传递 isConfirmed 用户必须是已确认过手机号的
-            var user = await GetUserByPhoneNumberAsync(input.PhoneNumber, isConfirmed: true);
             // 能查询到缓存就是重复发送
             if (securityTokenCacheItem != null)
             {
@@ -242,6 +248,11 @@ namespace LINGYUN.Abp.Account
             await IdentityOptions.SetAsync();
             // 传递 isConfirmed 用户必须是已确认过手机号的
             var user = await GetUserByPhoneNumberAsync(input.PhoneNumber, isConfirmed: true);
+            // 外部认证用户不允许修改密码
+            if (user.IsExternal)
+            {
+                throw new BusinessException(code: Volo.Abp.Identity.IdentityErrorCodes.ExternalUserPasswordChange);
+            }
             // 验证二次认证码
             if (!await UserManager.VerifyTwoFactorTokenAsync(user, TokenOptions.DefaultPhoneProvider, input.Code))
             {
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs
index d089541eb..4ad3cefe3 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs
@@ -111,9 +111,21 @@ namespace LINGYUN.Abp.Identity
         {
             var user = await GetUserAsync(id);
 
-            var token = await UserManager.GeneratePasswordResetTokenAsync(user);
+            if (user.IsExternal)
+            {
+                throw new BusinessException(code: Volo.Abp.Identity.IdentityErrorCodes.ExternalUserPasswordChange);
+            }
 
-            (await UserManager.ResetPasswordAsync(user, token, input.Password)).CheckErrors();
+            if (user.PasswordHash == null)
+            {
+                (await UserManager.AddPasswordAsync(user, input.Password)).CheckErrors();
+            }
+            else
+            {
+                var token = await UserManager.GeneratePasswordResetTokenAsync(user);
+
+                (await UserManager.ResetPasswordAsync(user, token, input.Password)).CheckErrors();
+            }
 
             await CurrentUnitOfWork.SaveChangesAsync();
         }