syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SYNCOPE-1388) mustChangePassword flag does not prevent user from invoking actions
Date Tue, 30 Oct 2018 17:04:00 GMT

    [ https://issues.apache.org/jira/browse/SYNCOPE-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16669045#comment-16669045
] 

ASF subversion and git services commented on SYNCOPE-1388:
----------------------------------------------------------

Commit eae67f83d57b8382c5e6aa10d0ca1838c4018856 in syncope's branch refs/heads/2_1_X from
[~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=eae67f8 ]

[SYNCOPE-1388] Now only POST /user/self/mustChangePassword is allowed when mustChangePassword
flag is set on user


> mustChangePassword flag does not prevent user from invoking actions
> -------------------------------------------------------------------
>
>                 Key: SYNCOPE-1388
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1388
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8, 2.1.1
>            Reporter: Lukas Funk
>            Assignee: Francesco Chicchiriccò
>            Priority: Major
>             Fix For: 2.0.11, 2.1.2, 3.0.0
>
>
> If a user has {{mustChangePassword}} set to {{true}}, the user can normally authenticate
himself (which is expected), get his user information and even trigger a self-update on his
user object. The later two should not be allowed.
> Before the user can do anything except acquire an accesstoken, he should call {{/users/self/mustChangePassword}}
API which will change the password and sets the {{mustChangePassword}} set to {{false}}
> *Intended Use-Case*
> Use the flag in a password policy, enforcing the user to change the password every e.g.
90 days.
> *To reproduce the issue using the REST-API*
>  Given the admin has set the "mustChangePassword" flag to "true" for user "rossini"
> When the user "rossini" acquire an accesstoken, then the access token is returned. (I
haven't tested the behavior with basic Auth.) - correct behaviour!
> When the user "rossini" queries GET /users/self, then the user object is returned and
the header "x-syncope-entitlements: \{"MUST_CHANGE_PASSWORD":[]}" is set.
>  *Expected*: Return error 403 with additional information that password must be reset.
> When the user "rossini" uses PATCH /users/self and sets the "mustChangePassword" flag
to "false", then the user object is updated (status 200).
>  *Expected*: Return error 403 with additional information that password must be reset.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message