From fb79fea0eae02f25ec022acb0cc5a4bd56f613b5 Mon Sep 17 00:00:00 2001
From: Nils Rauch <nils.rauch@gmail.com>
Date: Thu, 24 Jun 2021 14:23:24 +0200
Subject: [PATCH 1/5] Search by favourite, refs: #458

---
 app/presenters/filtered_list.rb       |  1 +
 app/presenters/teams/filtered_list.rb | 14 ++++++++------
 frontend/app/routes/teams/index.js    |  1 +
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/app/presenters/filtered_list.rb b/app/presenters/filtered_list.rb
index ce1cd2aef..92b3a2b62 100644
--- a/app/presenters/filtered_list.rb
+++ b/app/presenters/filtered_list.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class FilteredList
+  include ParamConverters
 
   def initialize(current_user, params)
     @current_user = current_user
diff --git a/app/presenters/teams/filtered_list.rb b/app/presenters/teams/filtered_list.rb
index 18a0eb3fe..378b2d387 100644
--- a/app/presenters/teams/filtered_list.rb
+++ b/app/presenters/teams/filtered_list.rb
@@ -4,12 +4,14 @@ module ::Teams
   class FilteredList < ::FilteredList
 
     def fetch_entries
-      return filter_by_query if query_present?
-      return filter_by_id if team_id.present?
-      return filter_by_favourite if favourite.present?
-      return filter_by_last_teammember if only_teammember_user.present?
+      filtered_teams = teams
 
-      teams
+      filtered_teams = filter_by_favourite if favourite.present? && true?(favourite)
+      filtered_teams = filter_by_query(filtered_teams) if query_present?
+      filtered_teams = filter_by_id if team_id.present?
+      filtered_teams = filter_by_last_teammember if only_teammember_user.present?
+
+      filtered_teams
     end
 
     private
@@ -44,7 +46,7 @@ def limit
       @params[:limit]
     end
 
-    def filter_by_query
+    def filter_by_query(teams)
       teams.includes(:folders, folders: [:accounts]).where(
         'lower(accounts.description) LIKE :query
         OR lower(accounts.accountname) LIKE :query
diff --git a/frontend/app/routes/teams/index.js b/frontend/app/routes/teams/index.js
index 23b7461e9..fc3cf4b68 100644
--- a/frontend/app/routes/teams/index.js
+++ b/frontend/app/routes/teams/index.js
@@ -25,6 +25,7 @@ export default class TeamsIndexRoute extends BaseRoute {
 
   model(params) {
     params["limit"] = 10;
+    params["favourite"] = this.navService.isShowingFavourites;
     return this.store.query("team", params);
   }
 }

From 42b33dfafea164b99fc6b4f1cb8d52bd18ea82ba Mon Sep 17 00:00:00 2001
From: Nils Rauch <nils.rauch@gmail.com>
Date: Fri, 25 Jun 2021 13:59:57 +0200
Subject: [PATCH 2/5] Adjust placeholder for searchbar if searching in
 favorites

---
 frontend/app/templates/components/nav-bar.hbs | 2 +-
 frontend/translations/ch_be.yml               | 4 +++-
 frontend/translations/de.yml                  | 4 +++-
 frontend/translations/en.yml                  | 4 +++-
 frontend/translations/fr.yml                  | 4 +++-
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/frontend/app/templates/components/nav-bar.hbs b/frontend/app/templates/components/nav-bar.hbs
index 1ee438606..f7aaf9f16 100644
--- a/frontend/app/templates/components/nav-bar.hbs
+++ b/frontend/app/templates/components/nav-bar.hbs
@@ -20,7 +20,7 @@
     <div class="search-field">
       <Input @class="search" @type="search"
              @value={{ this.navService.searchQuery }}
-             placeholder={{t "search.index.type_to_search"}} @keyUp={{this.searchByQuery}}
+             placeholder={{t (concat "search.index.type_to_search." (if this.navService.isShowingFavourites "favourites" "all"))}} @keyUp={{this.searchByQuery}}
              @autofocus={{this.isStartpage}} maxlength="70"/>
       <button>
         <pzsh-icon name="search"></pzsh-icon>
diff --git a/frontend/translations/ch_be.yml b/frontend/translations/ch_be.yml
index fe0a7fd91..e02624654 100644
--- a/frontend/translations/ch_be.yml
+++ b/frontend/translations/ch_be.yml
@@ -91,7 +91,9 @@ ch_be:
     index:
       hi_user: "Hallo %{username}! Suechsch es Passwort?"
       no_results_found: äuä nüt gfunde
-      type_to_search: Tippe für z sueche...
+      type_to_search:
+        favourites: Tippe um in favorisierte Teams z sueche...
+        all: Tippe um in aue Teams z sueche...
 
   accounts:
     title: 'Accounts'
diff --git a/frontend/translations/de.yml b/frontend/translations/de.yml
index 594e61d92..04ae87ed6 100644
--- a/frontend/translations/de.yml
+++ b/frontend/translations/de.yml
@@ -61,7 +61,9 @@ de:
     index:
       hi_user: "Hi %{username}! Du suchst ein Passwort?"
       no_results_found: keine Resultate gefunden
-      type_to_search: Tippen um zu suchen...
+      type_to_search:
+        favourites: Tippen um in favorisierten Teams zu suchen...
+        all: Tippen um in allen Teams zu suchen...
 
   accounts:
     title: Accounts
diff --git a/frontend/translations/en.yml b/frontend/translations/en.yml
index cd1c308b3..1a7b701fd 100644
--- a/frontend/translations/en.yml
+++ b/frontend/translations/en.yml
@@ -59,7 +59,9 @@ en:
     index:
       hi_user: "Hi %{username}! Want to recover a password?"
       no_results_found: no results found
-      type_to_search: Type to search...
+      type_to_search:
+        favourites: Type to search in favourite teams...
+        all: Type to search in all teams...
 
   accounts:
     title: Accounts
diff --git a/frontend/translations/fr.yml b/frontend/translations/fr.yml
index dfae08474..5f35e8e06 100644
--- a/frontend/translations/fr.yml
+++ b/frontend/translations/fr.yml
@@ -62,7 +62,9 @@ fr:
     index:
       hi_user: "Salut %{username}! Vous cherchez un mot de passe?"
       no_results_found: Aucun résultat trouvé
-      type_to_search: Appuyez pour rechercher...
+      type_to_search:
+        favourites: Appuyez pour rechercher dans les équipes favorites...
+        all: Appuyez pour rechercher dans tout les équipes...
 
   accounts:
     title: Comptes

From b471b5baa7f020db7c13d24fff11636faf7da0b8 Mon Sep 17 00:00:00 2001
From: Nils Rauch <nils.rauch@gmail.com>
Date: Fri, 4 Jun 2021 16:50:01 +0200
Subject: [PATCH 3/5] Move password update to ember, refs #375

---
 .../api/env_settings_controller.rb            |   3 +-
 .../api/profile/password_controller.rb        |  43 +++++++
 app/controllers/api_controller.rb             |   4 +-
 app/controllers/session_controller.rb         |  30 -----
 app/policies/session_policy.rb                |  12 --
 app/policies/user/api_policy.rb               |   4 +
 app/policies/user/human_policy.rb             |   4 +
 config/routes/api.rb                          |   6 +-
 .../app/components/profile/password-update.js |  95 +++++++++++++++
 frontend/app/initializers/env-settings.js     |   1 +
 .../components/profile/password-update.hbs    |  52 ++++++++
 frontend/app/templates/profile.hbs            |  10 +-
 .../validations/user-human/passwordEdit.js    |  13 ++
 .../profile/password-update-test.js           |  38 ++++++
 frontend/translations/ch_be.yml               |  19 ++-
 frontend/translations/de.yml                  |  19 ++-
 frontend/translations/en.yml                  |  21 +++-
 frontend/translations/fr.yml                  |  20 ++-
 .../api/profile/password_controller_spec.rb   | 114 ++++++++++++++++++
 spec/controllers/session_controller_spec.rb   |  76 ------------
 spec/policies/session_policy_spec.rb          |  36 ------
 21 files changed, 456 insertions(+), 164 deletions(-)
 create mode 100644 app/controllers/api/profile/password_controller.rb
 create mode 100644 frontend/app/components/profile/password-update.js
 create mode 100644 frontend/app/templates/components/profile/password-update.hbs
 create mode 100644 frontend/app/validations/user-human/passwordEdit.js
 create mode 100644 frontend/tests/integration/components/profile/password-update-test.js
 create mode 100644 spec/controllers/api/profile/password_controller_spec.rb

diff --git a/app/controllers/api/env_settings_controller.rb b/app/controllers/api/env_settings_controller.rb
index eae36cee4..8942aadaa 100644
--- a/app/controllers/api/env_settings_controller.rb
+++ b/app/controllers/api/env_settings_controller.rb
@@ -15,7 +15,8 @@ def index
                                 givenname: current_user.givenname,
                                 last_login_at: current_user.last_login_at,
                                 last_login_from: current_user.last_login_from,
-                                preferred_locale: current_user.preferred_locale },
+                                preferred_locale: current_user.preferred_locale,
+                                auth: current_user.auth },
                 last_login_message: last_login_message,
                 geo_ip: GeoIp.activated?,
                 version: version_number,
diff --git a/app/controllers/api/profile/password_controller.rb b/app/controllers/api/profile/password_controller.rb
new file mode 100644
index 000000000..e965f2ec6
--- /dev/null
+++ b/app/controllers/api/profile/password_controller.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Api::Profile::PasswordController < ApiController
+  self.permitted_attrs = [:old_password, :new_password1, :new_password2]
+
+  def update
+    authorize current_user, :update_password?
+    if password_params_valid?
+      current_user.update_password(old_password,
+                                   new_password)
+      add_info('flashes.profile.changePassword.success')
+      ok_status = 200
+    end
+    render_json(nil, ok_status || 400)
+  end
+
+  def password_params_valid?
+    unless current_user.authenticate_db(old_password)
+      add_error('helpers.label.user.wrongPassword')
+      return false
+    end
+
+    unless new_passwords_match?
+      add_error('flashes.profile.changePassword.new_passwords_not_equal')
+      return false
+    end
+    true
+  end
+
+  private
+
+  def old_password
+    model_params[:old_password]
+  end
+
+  def new_password
+    model_params[:new_password1] if new_passwords_match?
+  end
+
+  def new_passwords_match?
+    model_params[:new_password1] == model_params[:new_password2]
+  end
+end
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 139ebc4c9..10651b3db 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -25,8 +25,8 @@ class ApiController < CrudController
 
   protected
 
-  def render_json(data = nil)
-    render status: response_status, json: data || messages, include: '*'
+  def render_json(data = nil, status = nil)
+    render status: status || response_status, json: data || messages, include: '*'
   end
 
   def team
diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 335d85af2..ae38bf176 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -52,21 +52,6 @@ def destroy_redirect_path
     end
   end
 
-  def show_update_password
-    render :show_update_password
-  end
-
-  def update_password
-    if password_params_valid?
-      current_user.update_password(params[:old_password],
-                                   params[:new_password1])
-      flash[:notice] = t('flashes.session.new_password_set')
-      redirect_to root_path
-    else
-      render :show_update_password
-    end
-  end
-
   private
 
   def assert_logged_in
@@ -116,21 +101,6 @@ def set_session_attributes(user, pk_secret)
     session[:last_login_from] = user.last_login_from
   end
 
-  def password_params_valid?
-    return if current_user.is_a?(User::Api)
-
-    unless current_user.authenticate_db(params[:old_password])
-      flash[:error] = t('flashes.session.wrong_password')
-      return false
-    end
-
-    if params[:new_password1] != params[:new_password2]
-      flash[:error] = t('flashes.session.new_passwords_not_equal')
-      return false
-    end
-    true
-  end
-
   def authorize_action
     authorize :session
   end
diff --git a/app/policies/session_policy.rb b/app/policies/session_policy.rb
index 4454544b9..0f69c45ca 100644
--- a/app/policies/session_policy.rb
+++ b/app/policies/session_policy.rb
@@ -25,16 +25,4 @@ def create?
   def destroy?
     user.present?
   end
-
-  def show_update_password?
-    user.present? && user.auth_db?
-  end
-
-  def update_password?
-    user.present? && user.auth_db?
-  end
-
-  def changelocale?
-    user.present?
-  end
 end
diff --git a/app/policies/user/api_policy.rb b/app/policies/user/api_policy.rb
index d582482e7..9a357bdab 100644
--- a/app/policies/user/api_policy.rb
+++ b/app/policies/user/api_policy.rb
@@ -34,6 +34,10 @@ def unlock?
     own_api_user?
   end
 
+  def update_password?
+    false
+  end
+
   private
 
   def own_api_user?
diff --git a/app/policies/user/human_policy.rb b/app/policies/user/human_policy.rb
index d4c879118..364df6499 100644
--- a/app/policies/user/human_policy.rb
+++ b/app/policies/user/human_policy.rb
@@ -69,6 +69,10 @@ def resetpassword?
     end
   end
 
+  def update_password?
+    user.auth_db?
+  end
+
   private
 
   def current_user
diff --git a/config/routes/api.rb b/config/routes/api.rb
index 4693ca849..d2d5a7d3b 100644
--- a/config/routes/api.rb
+++ b/config/routes/api.rb
@@ -5,7 +5,11 @@
 
     get 'env_settings', to: 'env_settings#index'
 
-    resource :profile, only: [:update]
+    resource :profile, only: [:update] do
+      collection do
+        patch :password, to: 'profile/password#update'
+      end
+    end
 
     resources :accounts, except: [:new, :edit] do
       resources :file_entries, only: [:create, :index, :destroy, :show]
diff --git a/frontend/app/components/profile/password-update.js b/frontend/app/components/profile/password-update.js
new file mode 100644
index 000000000..76a5bb897
--- /dev/null
+++ b/frontend/app/components/profile/password-update.js
@@ -0,0 +1,95 @@
+import Component from "@glimmer/component";
+import { tracked } from "@glimmer/tracking";
+import { action } from "@ember/object";
+import UserHumanPasswordEditValidations from "../../validations/user-human/passwordEdit";
+import lookupValidator from "ember-changeset-validations";
+import Changeset from "ember-changeset";
+import { inject as service } from "@ember/service";
+import ENV from "../../config/environment";
+
+export default class ProfilePasswordUpdateComponent extends Component {
+  @service fetchService;
+  @service notify;
+  @service intl;
+
+  @tracked isEditing = false;
+
+  UserHumanPasswordEditValidations = UserHumanPasswordEditValidations;
+
+  @tracked
+  oldPasswordIncorrectError = "";
+
+  showSuccessMessage() {
+    let translationKeyPrefix = this.intl.locale[0].replace("-", "_");
+    let successMsg = `${translationKeyPrefix}.flashes.profile.changePassword.success`;
+    let msg = this.intl.t(successMsg);
+    this.notify.success(msg);
+  }
+
+  constructor() {
+    super(...arguments);
+
+    let passwordChangeset = {
+      oldPassword: "",
+      newPassword1: "",
+      newPassword2: ""
+    };
+
+    this.changeset = new Changeset(
+      passwordChangeset,
+      lookupValidator(UserHumanPasswordEditValidations),
+      UserHumanPasswordEditValidations
+    );
+  }
+
+  @action
+  toggleEditing() {
+    this.isEditing = !this.isEditing;
+  }
+
+  @action
+  resetOldPasswordError() {
+    this.oldPasswordIncorrectError = "";
+  }
+
+  @action
+  async submit() {
+    await this.changeset.validate();
+    if (!this.changeset.isValid) return;
+
+    const requestBody = {
+      data: {
+        attributes: {
+          old_password: this.changeset.oldPassword,
+          new_password1: this.changeset.newPassword1,
+          new_password2: this.changeset.newPassword2
+        }
+      }
+    };
+
+    this.fetchService
+      .send("/api/profile/password", {
+        method: "PATCH",
+        headers: {
+          Accept: "application/vnd.api+json",
+          "Content-Type": "application/json",
+          "X-CSRF-Token": ENV.CSRFToken
+        },
+        body: JSON.stringify(requestBody)
+      })
+      .then((response) => {
+        if (response.ok) {
+          this.showSuccessMessage();
+          this.toggleEditing();
+        } else {
+          response.json().then((json) => {
+            this.oldPasswordIncorrectError = json.errors[0];
+          });
+        }
+      });
+  }
+
+  get isUserAllowedToChangePassword() {
+    return ENV.currentUserAuth === "db";
+  }
+}
diff --git a/frontend/app/initializers/env-settings.js b/frontend/app/initializers/env-settings.js
index 6383d9ca9..ea9d8e3a2 100644
--- a/frontend/app/initializers/env-settings.js
+++ b/frontend/app/initializers/env-settings.js
@@ -13,6 +13,7 @@ export function initialize(/* application */) {
         ENV.currentUserGivenname = envSettings.current_user.givenname;
         ENV.currentUserLastLoginAt = envSettings.current_user.last_login_at;
         ENV.currentUserLastLoginFrom = envSettings.current_user.last_login_from;
+        ENV.currentUserAuth = envSettings.current_user.auth;
         ENV.preferredLocale = envSettings.current_user.preferred_locale;
         ENV.lastLoginMessage = envSettings.last_login_message;
         ENV.geoIP = envSettings.geo_ip;
diff --git a/frontend/app/templates/components/profile/password-update.hbs b/frontend/app/templates/components/profile/password-update.hbs
new file mode 100644
index 000000000..915b9774e
--- /dev/null
+++ b/frontend/app/templates/components/profile/password-update.hbs
@@ -0,0 +1,52 @@
+{{#if this.isUserAllowedToChangePassword}}
+  <button class="btn btn-primary" {{on "click" this.toggleEditing}}>{{t "helpers.label.user.managePassword"}}</button>
+{{/if}}
+
+{{#if this.isEditing}}
+  <BsModal class="modal_account ignore-footer-smartphone" @onHide={{action this.toggleEditing}} @renderInPlace="true" @size="lg" as |Modal|>
+    <Modal.header>
+      <h3 class="modal-title">{{t "helpers.label.user.updatePassword"}}</h3>
+    </Modal.header>
+    <Modal.body>
+      <div class="container-fluid">
+        <BsForm @model={{this.changeset}} as |form|>
+          <div class="row">
+            <div class="col-md-6 order-2">
+              <form.group class="col-md-12 secret">
+                <form.element @property="oldPassword" @label={{t "helpers.label.user.oldPassword"}}
+                              class={{if (or this.oldPasswordIncorrectError this.changeset.error.oldPassword.validation)
+                                                            "invalid-input-name"}}
+                              id="oldPassword" @keyUp={{this.resetOldPasswordError}}
+                              @customError={{t (if this.oldPasswordIncorrectError this.oldPasswordIncorrectError (validation-error-key this.changeset.error.oldPassword.validation))}} as |el|>
+                  <el.control autocomplete="off" @name="oldPassword" tabindex="1"></el.control>
+                </form.element>
+              </form.group>
+              <form.group class="col-md-12 secret">
+                <form.element @property="newPassword1" @label={{t "helpers.label.user.newPassword1"}}
+                              class={{if this.changeset.error.newPassword1.validation
+                                                            "invalid-input-name"}}
+                              id="oldPassword"
+                              @customError={{t (validation-error-key this.changeset.error.newPassword1.validation)}} as |el|>
+                  <el.control autocomplete="off" @name="newPassword1" tabindex="1"></el.control>
+                </form.element>
+              </form.group>
+              <form.group class="col-md-12 secret">
+                <form.element @property="newPassword2" @label={{t "helpers.label.user.newPassword2"}}
+                              class={{if this.changeset.error.newPassword2.validation
+                                                           "invalid-input-name"}}
+                              id="oldPassword"
+                              @customError={{t (validation-error-key this.changeset.error.newPassword2.validation)}} as |el|>
+                  <el.control autocomplete="off" @name="newPassword1" tabindex="1"></el.control>
+                </form.element>
+              </form.group>
+            </div>
+          </div>
+        </BsForm>
+      </div>
+    </Modal.body>
+    <Modal.footer>
+      <BsButton @onClick={{action this.submit this.passwordChangeset}} @type="primary">{{t "save"}}</BsButton>
+      <BsButton @onClick={{action this.toggleEditing}} @type="secondary">{{t "close"}}</BsButton>
+    </Modal.footer>
+  </BsModal>
+{{/if}}
diff --git a/frontend/app/templates/profile.hbs b/frontend/app/templates/profile.hbs
index 1af4c837d..f631eeac1 100644
--- a/frontend/app/templates/profile.hbs
+++ b/frontend/app/templates/profile.hbs
@@ -1,6 +1,12 @@
 <div class="pt-3">
-  <h2>{{t "profile.index.title"}}</h2>
-  
+  <div class="row justify-content-between">
+    <div class="col-lg-auto">
+      <h2>{{t "profile.index.title"}}</h2>
+    </div>
+    <div class="col-md-auto">
+      <Profile::PasswordUpdate></Profile::PasswordUpdate>
+    </div>
+  </div>
   <BsTab as |tab|>
     <tab.pane id="info" @title={{t "profile.info.info"}}>
       <table class="table table-striped mt-20">
diff --git a/frontend/app/validations/user-human/passwordEdit.js b/frontend/app/validations/user-human/passwordEdit.js
new file mode 100644
index 000000000..e4f43d279
--- /dev/null
+++ b/frontend/app/validations/user-human/passwordEdit.js
@@ -0,0 +1,13 @@
+import {
+  validatePresence,
+  validateConfirmation
+} from "ember-changeset-validations/validators";
+
+export default {
+  oldPassword: [validatePresence(true)],
+  newPassword1: [validatePresence(true)],
+  newPassword2: [
+    validatePresence(true),
+    validateConfirmation({ on: "newPassword1" })
+  ]
+};
diff --git a/frontend/tests/integration/components/profile/password-update-test.js b/frontend/tests/integration/components/profile/password-update-test.js
new file mode 100644
index 000000000..96d14aa39
--- /dev/null
+++ b/frontend/tests/integration/components/profile/password-update-test.js
@@ -0,0 +1,38 @@
+import { module, test } from "qunit";
+import { setupRenderingTest } from "ember-qunit";
+import { render } from "@ember/test-helpers";
+import { hbs } from "ember-cli-htmlbars";
+import { setLocale } from "ember-intl/test-support";
+import ENV from "../../../../config/environment";
+
+module("Integration | Component | profile/password-update", function (hooks) {
+  setupRenderingTest(hooks);
+
+  hooks.beforeEach(function () {
+    setLocale("en");
+  });
+
+  test("it renders for user with db as auth provider", async function (assert) {
+    let tempUserAuth = ENV.currentUserAuth;
+    ENV.currentUserAuth = "db";
+
+    await render(hbs`<Profile::PasswordUpdate />`);
+
+    const text = this.element.textContent.trim();
+    assert.ok(text.includes("Manage password"));
+
+    ENV.currentUserAuth = tempUserAuth;
+  });
+
+  test("it does not render for user with ldap or oidc auth provider", async function (assert) {
+    let tempUserAuth = ENV.currentUserAuth;
+    ENV.currentUserAuth = "oidc";
+
+    await render(hbs`<Profile::PasswordUpdate />`);
+
+    const text = this.element.textContent.trim();
+    assert.notOk(text.includes("Manage password"));
+
+    ENV.currentUserAuth = tempUserAuth;
+  });
+});
diff --git a/frontend/translations/ch_be.yml b/frontend/translations/ch_be.yml
index e02624654..136708830 100644
--- a/frontend/translations/ch_be.yml
+++ b/frontend/translations/ch_be.yml
@@ -413,6 +413,11 @@ ch_be:
         succeed: D Wartigsufgab isch erfougrich düregfüehrt worde
         failed: D Wartigsufgab isch gschiteret. Lueg i de Logs für me Details nache.
 
+    profile:
+      changePassword:
+        success: Ds Passwort isch erfougrich gänderet worde.
+        new_passwords_not_equal: Di nöie Passwörter si nid glich.
+
     user-humen:
       created: Dr nöi Benutzer isch erfougrich ersteut worde.
       updated: Dr Benutzer isch erfougrich aktualisiert worde.
@@ -448,7 +453,6 @@ ch_be:
       auth_failed: Irgendöppis vo dine Logindate isch fautsch
       only_local: Nume lokali Benutzer dörfe ires Passwort ändere.
       new_password_set: Ds nöie Passwort isch erfougrich gsetzt worde.
-      new_passwords_not_equal: Di nöie Passwörter si nid glich.
       not_local: Du bisch ke lokale Benutzer!
       locked: Dr Benutzer isch momentan gsperrt. Bitte probiers speter nomau oder kontaktier dr Administrator.
       weak_password: Um d Sicherheit z verbessere, söttisch es komplizierteres Passwort wähle
@@ -476,6 +480,12 @@ ch_be:
         givenname: Vorname
         surname: Nachname
         submit: Ersteue
+        managePassword: Passwortverwautig
+        updatePassword: Ds Passwort ernöiere
+        oldPassword: "Ds aute Passwort:"
+        newPassword1: "Ds nöie Passwort:"
+        newPassword2: "Ds nöie Passwort bestätige:"
+        wrongPassword: Fautsches passwort
       account:
         account: Account
         account_name: Accountname
@@ -615,3 +625,10 @@ ch_be:
       present: Dr Vorname muess vorhande si
     password:
       present: Ds Passwort muess vorhande si
+    "old password":
+      present: Ds aktuelle Passwort ihgäh
+    "new password1":
+      present: Ds nöie Passwort ihgäh
+    "new password2":
+        present: Ds nöie Passwort bestätige
+        confirmation: Di nöie Passwörter stimme nid überiih
diff --git a/frontend/translations/de.yml b/frontend/translations/de.yml
index 04ae87ed6..81835ebac 100644
--- a/frontend/translations/de.yml
+++ b/frontend/translations/de.yml
@@ -393,6 +393,11 @@ de:
         ldap_connection:
           failed: Kein konfigurierter Ldap-Server konnte erreicht werden.
 
+    profile:
+      changePassword:
+        success: Das Passwort wurde erfolgreich geändert.
+        new_passwords_not_equal: Die neuen Passwörter sind nicht gleich.
+
     user-humen:
       created: Der neue Benutzer wurde erfolgreich erstellt.
       updated: Der Benutzer wurde erfolgreich aktualisiert.
@@ -428,7 +433,6 @@ de:
       auth_failed: Ungültiger Benutzername / Passwort.
       only_local: Nur lokale Benutzer dürfen ihr Passwort ändern.
       new_password_set: Das neue Passwort wurde erfolgreich gesetzt.
-      new_passwords_not_equal: Die neuen Passwörter sind nicht gleich.
       not_local: Sie sind kein lokaler Benutzer!
       locked: Der Benutzer ist momentan gesperrt. Bitte versuchen Sie es später nocheinmal oder kontaktiern Sie den Administrator.
       weak_password: Um die Sicherheit zu verbessern, sollten Sie ein komplexeres Passwort wählen
@@ -457,6 +461,12 @@ de:
         givenname: Vorname
         surname: Nachname
         submit: Erstellen
+        managePassword: Passwort verwalten
+        updatePassword: Passwort erneuern
+        oldPassword: "Altes Passwort:"
+        newPassword1: "Neues Passwort:"
+        newPassword2: "Neues Passwort bestätigen:"
+        wrongPassword: Falsches Passwort
       account:
         account: Account
         account_name: Accountname
@@ -603,3 +613,10 @@ de:
       present: Der Vorname muss vorhanden sein
     password:
       present: Das Passwort muss vorhanden sein
+    "old password":
+      present: Aktuelles Passwort eingeben
+    "new password1":
+      present: Neues Passwort eingeben
+    "new password2":
+        present: Neues Passwort bestätigen
+        confirmation: Die Passwörter stimmen nicht überein
diff --git a/frontend/translations/en.yml b/frontend/translations/en.yml
index 1a7b701fd..a51a025ca 100644
--- a/frontend/translations/en.yml
+++ b/frontend/translations/en.yml
@@ -391,6 +391,11 @@ en:
         failed: Task failed. See logs for more information.
         ldap_connection:
           failed: No configured Ldap Server could be reached.
+ 
+    profile:
+      changePassword:
+        success: Successfully changed password.
+        new_passwords_not_equal: New passwords not equal
 
     user-humen:
       created: Successfully created a new user.
@@ -429,7 +434,6 @@ en:
       auth_failed: Authentication failed! Enter a correct username and password.
       only_local: Only local users are allowed to change their password.
       new_password_set: You successfully set the new password
-      new_passwords_not_equal: New passwords not equal
       wrong_password: Invalid user / password
       wrong_root: Login as root only from private IP accessible
       not_local: You are not a local user!
@@ -500,8 +504,16 @@ en:
       user:
         username: Username
         password: Password
+        admin: Admin
         givenname: Given name
         surname: Surname
+        submit: Submit
+        managePassword: Manage password
+        updatePassword: Update password
+        oldPassword: "Enter old password:"
+        newPassword1: "Enter new password:"
+        newPassword2: "Confirm new password:"
+        wrongPassword: Wrong password
       account:
         account_name: Accountname
       team:
@@ -537,3 +549,10 @@ en:
       present: Givenname must be present
     password:
       present: Password must be present
+    "old password":
+      present: Please enter current password
+    "new password1":
+      present: Please enter new password
+    "new password2":
+        present: Please confirm new password
+        confirmation: New passwords don't match
diff --git a/frontend/translations/fr.yml b/frontend/translations/fr.yml
index 5f35e8e06..a8ff78931 100644
--- a/frontend/translations/fr.yml
+++ b/frontend/translations/fr.yml
@@ -394,6 +394,11 @@ fr:
         ldap_connection:
           failed: Aucunt serveur LDAP configuré n'a pu être atteint.
 
+    profile:
+      changePassword:
+        success: Le mot de passe a été modifié avec succès. 
+        new_passwords_not_equal: Nouveaux mots de passe n'est pas égal.
+
     user-humen:
       created: Utilisateur créé avec succès.
       updated: Utilisateur modifiée avec succès.
@@ -429,7 +434,6 @@ fr:
       auth_failed: L'authentification a échoué! Saisissez un nom d'utilisateur et mot de passe.
       only_local: Only local users are allowed to change their password.
       new_password_set: Vous mis à jour avec succès le nouveau mot de passe.
-      new_passwords_not_equal: Nouveaux mots de passe n'est pas égal.
       wrong_password: Mot de passe incorrect.
       weak_password: Pour améliorer la sécurité vous devez déterminer un mot de passe utilisateur plus complexe.
       not_local: Vous n'êtes pas un utilisateur local!
@@ -459,6 +463,13 @@ fr:
         admin: Admin
         givenname: Prénom
         surname: Nom de famille
+        submit: Soumettre
+        managePassword: Gérer le mot de passe
+        updatePassword: Changer le mot de passe
+        oldPassword: "Entrez le mot de passe actuel:"
+        newPassword1: "Entrez un nouveau mot de passe:"
+        newPassword2: "Confirmer le nouveau mot de passe:"
+        wrongPassword: Mauvais mot de passe
       account:
         account: Compte
         account_name: Nom du compte
@@ -606,3 +617,10 @@ fr:
       present: Le prénom doit être présent
     password:
       present: Le mot de passe doit être présent
+    "old password":
+      present: Entrer le mot de passe actuel 
+    "new password1":
+      present: Entrer le nouveau mot de passe
+    "new password2":
+        present: Confirmer le nouveau mot de passe
+        confirmation: Les mots de passe ne correspondent pas
diff --git a/spec/controllers/api/profile/password_controller_spec.rb b/spec/controllers/api/profile/password_controller_spec.rb
new file mode 100644
index 000000000..eec731069
--- /dev/null
+++ b/spec/controllers/api/profile/password_controller_spec.rb
@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Api::Profile::PasswordController do
+  include ControllerHelpers
+
+  let(:api_user) { users(:alice).api_users.create! }
+
+  context 'POST update_password' do
+    it 'updates password' do
+      login_as(:bob)
+      password_params = {
+        data: {
+          attributes: { old_password: 'password',
+                        new_password1: 'test',
+                        new_password2: 'test' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(json['info']).to include('flashes.profile.changePassword.success')
+      expect(users(:bob).authenticate_db('test')).to eq true
+    end
+
+    it 'updates password, error if oldpassword not match' do
+      login_as(:bob)
+      password_params = {
+        data: {
+          attributes: { old_password: 'wrong_password',
+                        new_password1: 'test',
+                        new_password2: 'test' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(json['errors']).to include('helpers.label.user.wrongPassword')
+      expect(users(:bob).authenticate_db('test')).to be false
+    end
+
+    it 'updates password, error if new passwords not match' do
+      login_as(:bob)
+      password_params = {
+        data: {
+          attributes: { old_password: 'password',
+                        new_password1: 'test',
+                        new_password2: 'wrong_password' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(json['errors']).to include('flashes.profile.changePassword.new_passwords_not_equal')
+      expect(users(:bob).authenticate_db('test')).to eq false
+    end
+
+    it 'returns unauthorized if ldap user tries to update password' do
+      users(:bob).update!(auth: 'ldap')
+      login_as(:bob)
+      password_params = {
+        data: {
+          attributes: { old_password: 'password',
+                        new_password1: 'test',
+                        new_password2: 'test' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns unauthorized if oidc user tries to update password' do
+      users(:bob).update!(auth: 'oidc')
+      login_as(:bob)
+      password_params = {
+        data: {
+          attributes: { old_password: 'password',
+                        new_password1: 'test',
+                        new_password2: 'test' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns unauthorized if api user tries to update password' do
+      login_as_api_user
+      password_params = {
+        data: {
+          attributes: { old_password: api_user_token,
+                        new_password1: 'test',
+                        new_password2: 'test' }
+        }
+      }
+      patch :update, params: password_params
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  private
+
+  def login_as_api_user
+    api_user.update!(valid_until: Time.zone.now + 5.minutes)
+    request.headers['Authorization-User'] = api_user.username
+    request.headers['Authorization-Password'] = api_user_token
+  end
+
+  def api_user_token
+    private_key = users(:alice).decrypt_private_key('password')
+    decrypted_token = api_user.send(:decrypt_token, private_key)
+    Base64.encode64(decrypted_token)
+  end
+end
diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb
index f1708165c..e311d4bd6 100644
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@@ -5,37 +5,6 @@
 describe SessionController do
   include ControllerHelpers
 
-  context 'GET show_update_password' do
-    it 'does not authorize previously authorized source ip' do
-      source_ip = '102.20.2.1'
-      expect_any_instance_of(Authentication::SourceIpChecker)
-        .to receive(:ip_authorized?)
-        .and_return(true)
-      expect_any_instance_of(ActionController::TestRequest)
-        .to receive(:remote_ip)
-        .exactly(3).times
-        .and_return(source_ip)
-      session[:authorized_ip] = source_ip
-      session[:user_id] = users(:bob).id
-      session[:private_key] = 'fookey'
-
-      expect_any_instance_of(Authentication::SourceIpChecker).to receive(:previously_authorized?)
-      expect_any_instance_of(Authentication::SourceIpChecker).to receive(:ip_authorized?).never
-
-      get :show_update_password
-
-      expect(response).to have_http_status(200)
-    end
-
-    it 'redirects if ldap user tries to access update password site' do
-      users(:bob).update!(auth: 'ldap')
-      login_as(:bob)
-      get :show_update_password
-
-      expect(response).to redirect_to root_path
-    end
-  end
-
   context 'GET new' do
 
     it 'should show 401 if ip address is unauthorized' do
@@ -144,49 +113,4 @@
       post :create, params: { password: 'password', username: 'bob' }
     end
   end
-
-  context 'POST update_password' do
-    it 'updates password' do
-      login_as(:bob)
-      post :update_password, params: { old_password: 'password', new_password1: 'test',
-                                       new_password2: 'test' }
-
-      expect(flash[:notice]).to match(/new password/)
-      expect(users(:bob).authenticate_db('test')).to eq true
-    end
-
-    it 'updates password, error if oldpassword not match' do
-      login_as(:bob)
-      post :update_password, params: { old_password: 'wrong_password', new_password1: 'test',
-                                       new_password2: 'test' }
-
-      expect(flash[:error]).to match(/Invalid user \/ password/)
-      expect(users(:bob).authenticate_db('test')).to be false
-    end
-
-    it 'updates password, error if new passwords not match' do
-      login_as(:bob)
-      post :update_password, params: { old_password: 'password', new_password1: 'test',
-                                       new_password2: 'wrong_password' }
-
-      expect(flash[:error]).to match(/New passwords not equal/)
-      expect(users(:bob).authenticate_db('test')).to eq false
-    end
-
-    it 'redirects if ldap user tries to update password' do
-      users(:bob).update!(auth: 'ldap')
-      login_as(:bob)
-      post :update_password, params: { old_password: 'password', new_password1: 'test',
-                                       new_password2: 'test' }
-      expect(response).to redirect_to root_path
-    end
-
-    it 'redirects if oidc user tries to update password' do
-      users(:bob).update!(auth: 'oidc')
-      login_as(:bob)
-      post :update_password, params: { old_password: 'password', new_password1: 'test',
-                                       new_password2: 'test' }
-      expect(response).to redirect_to root_path
-    end
-  end
 end
diff --git a/spec/policies/session_policy_spec.rb b/spec/policies/session_policy_spec.rb
index 507a7ffd6..14d394ffd 100644
--- a/spec/policies/session_policy_spec.rb
+++ b/spec/policies/session_policy_spec.rb
@@ -17,18 +17,6 @@
     it 'may not logout' do
       refute_permit nil, :session, :destroy?
     end
-
-    it 'may not change locale' do
-      refute_permit nil, :session, :changelocale?
-    end
-
-    it 'may not update password' do
-      refute_permit nil, :session, :update_password?
-    end
-
-    it 'may not show update password form' do
-      refute_permit nil, :session, :show_update_password?
-    end
   end
 
   context 'already logged in user' do
@@ -43,29 +31,5 @@
     it 'may logout' do
       assert_permit bob, :session, :destroy?
     end
-
-    it 'may change locale' do
-      assert_permit bob, :session, :changelocale?
-    end
-
-    it 'may update password' do
-      assert_permit bob, :session, :update_password?
-    end
-
-    it 'may show update password form' do
-      assert_permit bob, :session, :show_update_password?
-    end
-  end
-
-  context 'ldap user' do
-    it 'may not change password' do
-      bob.update!(auth: 'ldap')
-      refute_permit bob, :session, :update_password?
-    end
-
-    it 'may not show change password form' do
-      bob.update!(auth: 'ldap')
-      refute_permit bob, :session, :show_update_password?
-    end
   end
 end

From 547fc560b1889c8b4ca1ba6977ba1d6d331ac27b Mon Sep 17 00:00:00 2001
From: e517589 <lian_josko.vinkovic@sbb.ch>
Date: Mon, 28 Jun 2021 13:48:53 +0200
Subject: [PATCH 4/5] Hide side nav bar on profile, refs: #456

---
 frontend/app/services/nav-service.js          |  6 +-
 frontend/app/templates/admin.hbs              |  6 +-
 .../app/templates/components/index-button.hbs |  5 ++
 frontend/app/templates/profile.hbs            | 62 ++++++++++---------
 4 files changed, 43 insertions(+), 36 deletions(-)
 create mode 100644 frontend/app/templates/components/index-button.hbs

diff --git a/frontend/app/services/nav-service.js b/frontend/app/services/nav-service.js
index 64b91557f..f6480b34e 100644
--- a/frontend/app/services/nav-service.js
+++ b/frontend/app/services/nav-service.js
@@ -21,7 +21,11 @@ export default class NavService extends Service {
   }
 
   get showSideNavBar() {
-    const sideNavBarDisabledRoutes = ["admin.settings", "admin.users"];
+    const sideNavBarDisabledRoutes = [
+      "admin.settings",
+      "admin.users",
+      "profile"
+    ];
     return !sideNavBarDisabledRoutes.includes(this.router.currentRouteName);
   }
 
diff --git a/frontend/app/templates/admin.hbs b/frontend/app/templates/admin.hbs
index 652d42b81..d5fb2fd26 100644
--- a/frontend/app/templates/admin.hbs
+++ b/frontend/app/templates/admin.hbs
@@ -1,8 +1,4 @@
 <div class="pt-3 mb-3">
-  <LinkTo @route="index">
-    <span class="btn btn-secondary admin-back-button" role="button">
-      <img class="icon-button account-show-back" src="/assets/images/arrow-left.svg" alt="back">
-    </span>
-  </LinkTo>
+  <IndexButton></IndexButton>
   {{outlet}}
 </div>
diff --git a/frontend/app/templates/components/index-button.hbs b/frontend/app/templates/components/index-button.hbs
new file mode 100644
index 000000000..825872bcb
--- /dev/null
+++ b/frontend/app/templates/components/index-button.hbs
@@ -0,0 +1,5 @@
+<LinkTo @route="index">
+  <span class="btn btn-secondary admin-back-button" role="button">
+    <img class="icon-button account-show-back" src="/assets/images/arrow-left.svg" alt="back">
+  </span>
+</LinkTo>
diff --git a/frontend/app/templates/profile.hbs b/frontend/app/templates/profile.hbs
index f631eeac1..df9051d84 100644
--- a/frontend/app/templates/profile.hbs
+++ b/frontend/app/templates/profile.hbs
@@ -1,34 +1,36 @@
 <div class="pt-3">
-  <div class="row justify-content-between">
-    <div class="col-lg-auto">
-      <h2>{{t "profile.index.title"}}</h2>
-    </div>
-    <div class="col-md-auto">
-      <Profile::PasswordUpdate></Profile::PasswordUpdate>
+  <IndexButton></IndexButton>
+  <div class="pt-3">
+    <div class="row justify-content-between">
+      <div class="col-lg-auto">
+        <h2>{{t "profile.index.title"}}</h2>
+      </div>
+      <div class="col-md-auto">
+        <Profile::PasswordUpdate></Profile::PasswordUpdate>
+      </div>
     </div>
+    <BsTab as |tab|>
+      <tab.pane id="info" @title={{t "profile.info.info"}}>
+        <table class="table table-striped mt-20">
+          <thead>
+            <tr>
+              <th> {{t "profile.info.last_login_at"}}</th>
+              <th> {{t "profile.info.last_login_from"}}</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td>{{moment-format @model.info.lastLoginAt "DD.MM.YYYY hh:mm"}}</td>
+              <td>{{@model.info.lastLoginFrom}}</td>
+            </tr>
+          </tbody>
+        </table>
+      </tab.pane>
+      <tab.pane id="apiUsers" @title={{t "profile.api_users.api_users"}}>
+        <div>
+          <ApiUser::Table @apiUsers={{@model.apiUsers}} />
+        </div>
+      </tab.pane>
+    </BsTab>
   </div>
-  <BsTab as |tab|>
-    <tab.pane id="info" @title={{t "profile.info.info"}}>
-      <table class="table table-striped mt-20">
-        <thead>
-          <tr>
-            <th> {{t "profile.info.last_login_at"}}</th>
-            <th> {{t "profile.info.last_login_from"}}</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>{{moment-format @model.info.lastLoginAt "DD.MM.YYYY hh:mm"}}</td>
-            <td>{{@model.info.lastLoginFrom}}</td>
-          </tr>
-        </tbody>
-      </table>
-    </tab.pane>
-    
-    <tab.pane id="apiUsers" @title={{t "profile.api_users.api_users"}}>
-      <div>
-        <ApiUser::Table @apiUsers={{@model.apiUsers}} />
-      </div>
-    </tab.pane>
-  </BsTab>
 </div>

From 9a4ed8fe34fd16f14ae73702bdf2283471701845 Mon Sep 17 00:00:00 2001
From: miosidler <78365253+miosidler@users.noreply.github.com>
Date: Tue, 29 Jun 2021 09:50:42 +0200
Subject: [PATCH 5/5] Move created/last updated below account title (#476)

---
 frontend/app/templates/components/account/show.hbs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/app/templates/components/account/show.hbs b/frontend/app/templates/components/account/show.hbs
index a564e8190..8312ac2a2 100644
--- a/frontend/app/templates/components/account/show.hbs
+++ b/frontend/app/templates/components/account/show.hbs
@@ -4,7 +4,7 @@
 {{#if this.isFileEntryCreating}}
   <FileEntry::Form @class="modal_file_entry" @account={{@account}} @title={{t "file_entries.new.title"}} @onAbort={{this.toggleFileEntryNew}}/>
 {{/if}}
-<div class="container px-5 pt-4 h-100 bg-white pl-none account-container-smartphone">
+<div class="container px-5 pt-4 h-100 bg-white pl-none account-container-smartphone mb-15">
   <div class="row mb-3">
     <div class="col">
       <a id="account-show-back" role="button" {{on "click" this.transitionBack}}>
@@ -25,12 +25,12 @@
     {{/unless}}
   </div>
   <div class="row pb-3 justify-content-between">
-    <div class="col-lg-7 accountname">
+    <div class="col-lg-9 accountname">
       <h2 class="d-inline">{{t "accounts.show.account"}}: {{@account.accountname}}</h2>
     </div>
-    <div class="col-sm-5 accountname">
-      <p class="d-inline">{{t "accounts.show.created_at"}}: {{moment-format @account.createdAt "DD.MM.YYYY hh:mm"}}</p>
-      <br>
+    <div class="col-lg-9 accountname text-muted">
+      <br><p class="d-inline">{{t "accounts.show.created_at"}}: {{moment-format @account.createdAt "DD.MM.YYYY hh:mm"}}</p>
+       / 
       <p class="d-inline">{{t "accounts.show.last_update"}}: {{moment-format @account.updatedAt "DD.MM.YYYY hh:mm"}}</p>
     </div>
   </div>
@@ -38,7 +38,7 @@
   {{#if @account.description}}
     <div class="row pb-3">
       <div class="col">
-        <p class="text-muted description">{{@account.description}}</p>
+        <br><p class="text-muted description">{{@account.description}}</p>
       </div>
     </div>
   {{/if}}