From 48f5b46ea4adddb9803caeec334ef0230c30f3c7 Mon Sep 17 00:00:00 2001
From: MarecekF <marekf@kentico.com>
Date: Thu, 23 Nov 2017 09:11:09 +0100
Subject: [PATCH 1/2] MVCHF10-6 UserManager not to verify external and domain
 users' password + fix of major version number in Membership.Tests project

---
 CHANGELOG.md                                   |  6 ++++++
 .../Properties/AssemblyInfo.cs                 |  2 +-
 src/Kentico.Membership/UserManager.cs          |  3 ++-
 .../Fakes/MembershipFakeFactory.cs             |  9 ++++++---
 .../Properties/AssemblyInfo.cs                 |  6 +++---
 .../UserManagerTests.cs                        | 18 ++++++++++++++++++
 6 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c4923cd..b700e89 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -195,6 +195,12 @@
 
 ## Kentico.Membership
 
+### 1.0.1 (2017-11-23)
+
+#### Fixed
+
+* `UserManager` not to verify external and domain users' password
+
 ### 1.0.0 (2016-12-02)
 
 #### Release notes
diff --git a/src/Kentico.Membership/Properties/AssemblyInfo.cs b/src/Kentico.Membership/Properties/AssemblyInfo.cs
index ed49bdf..b5e9329 100644
--- a/src/Kentico.Membership/Properties/AssemblyInfo.cs
+++ b/src/Kentico.Membership/Properties/AssemblyInfo.cs
@@ -13,4 +13,4 @@
 [assembly: Guid("fbdaad92-2e23-4c73-bde9-f6fa7a21b293")]
 [assembly: AssemblyVersion("1.0.0.0")]
 [assembly: AssemblyFileVersion("1.0.0.0")]
-[assembly: AssemblyInformationalVersion("1.0.0")]
+[assembly: AssemblyInformationalVersion("1.0.1")]
diff --git a/src/Kentico.Membership/UserManager.cs b/src/Kentico.Membership/UserManager.cs
index bc5cb2d..e89df72 100644
--- a/src/Kentico.Membership/UserManager.cs
+++ b/src/Kentico.Membership/UserManager.cs
@@ -99,8 +99,9 @@ protected override Task<bool> VerifyPasswordAsync(IUserPasswordStore<User, int>
             }
 
             var userInfo = UserInfoProvider.GetUserInfo(user.UserName);
+            var result = !userInfo.IsExternal && !userInfo.UserIsDomain && !UserInfoProvider.IsUserPasswordDifferent(userInfo, password);
 
-            return Task.FromResult(!UserInfoProvider.IsUserPasswordDifferent(userInfo, password));
+            return Task.FromResult(result);
         }
 
 
diff --git a/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs b/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs
index 0fd4b84..3bef054 100644
--- a/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs
+++ b/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs
@@ -38,6 +38,7 @@ internal class MembershipFakeFactory
                             USERNAME_NONEXISTENT = "NonExistentUser",
                             USERNAME_EXTERNAL = "ExternalUser",
                             USERNAME_EXTERNAL_WITH_SECURITY_STAMP = "ExternalUserWithSecurityStamp",
+                            USERNAME_DOMAIN = "DomainUser",
                             ROLE_ADMIN = "TestRoleAdmin",
                             ROLE_MEMBER = "TestRoleMember",
                             EXTERNAL_IDENTITY_KEY = "externalLogin",
@@ -52,6 +53,7 @@ internal class MembershipFakeFactory
                         UserDuplicateEmail2,
                         UserExternal,
                         UserExternalWithSecurityStamp,
+                        UserDomain,
                         UserWithoutPassword,
                         UserWithPassword,
                         UserWithSecurityStamp,
@@ -90,7 +92,7 @@ private UserInfo[] InitUsers()
         {
             UserWithPassword = new UserInfo
             {
-                UserID = 10,
+                UserID = 11,
                 UserName = USERNAME_WITH_PASSWORD,
                 Enabled = true,
             };
@@ -106,9 +108,10 @@ private UserInfo[] InitUsers()
                 UserWithoutPassword = new UserInfo { UserID = 7, UserName = USERNAME_NO_PASSWORD, Enabled = true },
                 UserExternal = new UserInfo { UserID = 8, UserName = USERNAME_EXTERNAL, Enabled = true, IsExternal = true },
                 UserExternalWithSecurityStamp = new UserInfo { UserID = 9, UserName = USERNAME_EXTERNAL_WITH_SECURITY_STAMP, Enabled = true, IsExternal = true, UserSecurityStamp = SECURITY_STAMP },
+                UserDomain = new UserInfo { UserID = 10, UserName = USERNAME_DOMAIN, Enabled = true, UserIsDomain = true },
                 UserWithPassword,
-                UserWithSecurityStamp = new UserInfo { UserID = 11, UserName = USERNAME_WITH_SECURITY_STAMP, Enabled = true, UserSecurityStamp = SECURITY_STAMP },
-                UserWithoutSecurityStamp = new UserInfo { UserID = 12, UserName = USERNAME_WITHOUT_SECURITY_STAMP, Enabled = true }           
+                UserWithSecurityStamp = new UserInfo { UserID = 12, UserName = USERNAME_WITH_SECURITY_STAMP, Enabled = true, UserSecurityStamp = SECURITY_STAMP },
+                UserWithoutSecurityStamp = new UserInfo { UserID = 13, UserName = USERNAME_WITHOUT_SECURITY_STAMP, Enabled = true }           
             };
         }
 
diff --git a/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs b/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs
index 363747e..6fc192d 100644
--- a/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs
+++ b/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs
@@ -11,6 +11,6 @@
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
 [assembly: Guid("5e1a8ef6-b600-4dd1-9dc8-a91ad888d539")]
-[assembly: AssemblyVersion("2.0.0.0")]
-[assembly: AssemblyFileVersion("2.0.0.0")]
-[assembly: AssemblyInformationalVersion("2.0.0")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyInformationalVersion("1.0.1")]
diff --git a/test/Kentico.Membership.Tests/UserManagerTests.cs b/test/Kentico.Membership.Tests/UserManagerTests.cs
index 7c51e39..1ad3a01 100644
--- a/test/Kentico.Membership.Tests/UserManagerTests.cs
+++ b/test/Kentico.Membership.Tests/UserManagerTests.cs
@@ -81,6 +81,24 @@ public void VerifyPassword_UserNull_False()
         }
 
 
+        [Test]
+        public void VerifyPassword_UserIsExternal_False()
+        {
+            var user = new User(mMembershipFakeFactory.UserExternal);
+
+            Assert.IsFalse(manager.CallProtectedVerifyPassword(user, ""));
+        }
+
+
+        [Test]
+        public void VerifyPassword_UserIsDomain_False()
+        {
+            var user = new User(mMembershipFakeFactory.UserDomain);
+
+            Assert.IsFalse(manager.CallProtectedVerifyPassword(user, ""));
+        }
+
+
         [Test]
         public void VerifyPassword_PasswordFormatChanged_UserCanLogInWithOldPasswordHash()
         {

From 67a8b38a47087e9656b789afad3c5dcea7f12255 Mon Sep 17 00:00:00 2001
From: MarecekF <marekf@kentico.com>
Date: Thu, 23 Nov 2017 11:58:34 +0100
Subject: [PATCH 2/2] MVCHF10-6 Changelog adjustment for UserManager fix

---
 CHANGELOG.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b700e89..0e95428 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -197,9 +197,9 @@
 
 ### 1.0.1 (2017-11-23)
 
-#### Fixed
+#### Fixed, Security
 
-* `UserManager` not to verify external and domain users' password
+* `UserManager` no longer successfully verifies passwords for external and domain users.
 
 ### 1.0.0 (2016-12-02)