Commit928315f

authored and

committed

fix: allow admins to reset their own pass without old_password (#2222)

1 parent8eaa853 commit928315fCopy full SHA for 928315f

File tree

-7

lines changed

-7

lines changed

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -384,7 +384,6 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW`
`384`	`384`	`func (apiAPI)putUserPassword(rw http.ResponseWriter,rhttp.Request) {`
`385`	`385`	`var (`
`386`	`386`	`user=httpmw.UserParam(r)`
`387`		`-apiKey=httpmw.APIKey(r)`
`388`	`387`	`params codersdk.UpdateUserPasswordRequest`
`389`	`388`	`)`
`390`	`389`
`@@ -410,10 +409,13 @@ func (api API) putUserPassword(rw http.ResponseWriter, r http.Request) {`
`410`	`409`	`return`
`411`	`410`	`}`
`412`	`411`
`413`		`-// we want to require old_password field if the user is changing their`
`414`		`-// own password. This is to prevent a compromised session from being able`
`415`		`-// to change password and lock out the user.`
`416`		`-ifuser.ID==apiKey.UserID {`
	`412`	`+// admins can change passwords without sending old_password`
	`413`	`+ifparams.OldPassword=="" {`
	`414`	`+if!api.Authorize(rw,r,rbac.ActionUpdate,rbac.ResourceUser.WithID(user.ID.String())) {`
	`415`	`+return`
	`416`	`+}`
	`417`	`+}else {`
	`418`	`+// if they send something let's validate it`
`417`	`419`	`ok,err:=userpassword.Compare(string(user.HashedPassword),params.OldPassword)`
`418`	`420`	`iferr!=nil {`
`419`	`421`	`httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -480,14 +480,14 @@ func TestUpdateUserPassword(t *testing.T) {`
`480`	`480`	`})`
`481`	`481`	`require.Error(t,err,"member should not be able to update own password without providing old password")`
`482`	`482`	`})`
`483`		`-t.Run("AdminCantUpdateOwnPasswordWithoutOldPassword",func(t*testing.T) {`
	`483`	`+t.Run("AdminCanUpdateOwnPasswordWithoutOldPassword",func(t*testing.T) {`
`484`	`484`	`t.Parallel()`
`485`	`485`	`client:=coderdtest.New(t,nil)`
`486`	`486`	`_=coderdtest.CreateFirstUser(t,client)`
`487`	`487`	`err:=client.UpdateUserPassword(context.Background(),"me", codersdk.UpdateUserPasswordRequest{`
`488`	`488`	`Password:"newpassword",`
`489`	`489`	`})`
`490`		`-require.Error(t,err,"admin should not be able to update own password without providing old password")`
	`490`	`+require.NoError(t,err,"admin should be able to update own password without providing old password")`
`491`	`491`	`})`
`492`	`492`	`}`
`493`	`493`

Comments

(0)