syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (SYNCOPE-1388) mustChangePassword flag does not prevent user from invoking actions
Date Tue, 30 Oct 2018 17:04:01 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Francesco Chicchiriccò resolved SYNCOPE-1388.
---------------------------------------------
    Resolution: Fixed

> mustChangePassword flag does not prevent user from invoking actions
> -------------------------------------------------------------------
>
>                 Key: SYNCOPE-1388
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1388
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8, 2.1.1
>            Reporter: Lukas Funk
>            Assignee: Francesco Chicchiriccò
>            Priority: Major
>             Fix For: 2.0.11, 2.1.2, 3.0.0
>
>
> If a user has {{mustChangePassword}} set to {{true}}, the user can normally authenticate
himself (which is expected), get his user information and even trigger a self-update on his
user object. The later two should not be allowed.
> Before the user can do anything except acquire an accesstoken, he should call {{/users/self/mustChangePassword}}
API which will change the password and sets the {{mustChangePassword}} set to {{false}}
> *Intended Use-Case*
> Use the flag in a password policy, enforcing the user to change the password every e.g.
90 days.
> *To reproduce the issue using the REST-API*
>  Given the admin has set the "mustChangePassword" flag to "true" for user "rossini"
> When the user "rossini" acquire an accesstoken, then the access token is returned. (I
haven't tested the behavior with basic Auth.) - correct behaviour!
> When the user "rossini" queries GET /users/self, then the user object is returned and
the header "x-syncope-entitlements: \{"MUST_CHANGE_PASSWORD":[]}" is set.
>  *Expected*: Return error 403 with additional information that password must be reset.
> When the user "rossini" uses PATCH /users/self and sets the "mustChangePassword" flag
to "false", then the user object is updated (status 200).
>  *Expected*: Return error 403 with additional information that password must be reset.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message