Merge branch 'Support/2.6.X' into 'master'

Support/2.6.x

See merge request !474

CHANGELOG.md

 # CHANGELOG
 
+## Version 2.6.4
+
+- `Fixed` Correction faille de sécurité concernant le vol de compte via l'interface de login
+
 ## Version 2.6.3
 
 - `Fixed` Possiblité de verser en mode transactionnel via bordereau, avec des pièces de plus de 2Mo

VERSION.md

-2.6.3
\ No newline at end of file
+2.6.4
\ No newline at end of file

src/bundle/auth/Controller/userAuthentication.php

@@ -182,7 +182,13 @@ class userAuthentication
      */
     public function definePassword($userName, $oldPassword, $newPassword, $requestPath)
     {
-        if ($userAccount = $this->sdoFactory->read('auth/account', array('accountName' => $userName))) {
+        $tempToken = \laabs::getToken('TEMP-AUTH');
+
+        if ($this->sdoFactory->exists('auth/account', array('accountName' => $userName))
+            && $userAccount = $this->sdoFactory->read('auth/account', array('accountName' => $userName))
+            && !is_null($tempToken)
+            && $tempToken->accountId == $userAccount->accountId) {
+
             $this->checkPasswordPolicies($newPassword);
 
             $encryptedPassword = $newPassword;

src/presentation/maarchRM/Presenter/auth/authentication.php

@@ -116,7 +116,12 @@ class authentication
     public function definePassword($requestPath)
     {
         $json = $this->json;
+        $json->status = true;
         $json->message = "Password changed.";
+        if ($requestPath === false) {
+            $json->status = false;
+            $json->message = "Password not changed.";
+        }
         $json->requestPath = $requestPath;
 
         return $json->save();