Re: [PR] Allow enforcing password change for a user after reset by admin (root/domain) [cloudstack]

Fri, 19 Dec 2025 00:53:33 -0800 


vishesh92 commented on code in PR #12294:
URL: https://github.com/apache/cloudstack/pull/12294#discussion_r2634212477


##########
plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java:
##########
@@ -280,12 +283,22 @@ public ListResponse<? extends BaseResponse> listApis(User 
user, String name) {
                         
ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, 
"accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == 
RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all 
APIs are allowed.",
-                        
ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, 
"accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = 
accountService.getUserAccountById(user.getId());
+            Map<String, String> userAccDetails = userAccount.getDetails();
+            if (MapUtils.isNotEmpty(userAccDetails)) {
+                String needPwdChangeStr = 
userAccDetails.get(UserDetailVO.PasswordChangeRequired);
+                if ("true".equalsIgnoreCase(needPwdChangeStr)) {
+                    apisAllowed = Arrays.asList("login", "logout", 
"updateUser", "listUsers", "listApis");

Review Comment:
   IMO, `listUsers` shouldn't be required here.



##########
api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java:
##########
@@ -132,6 +132,10 @@ public class UserResponse extends BaseResponse implements 
SetResourceIconRespons
     @Param(description = "whether api key access is Enabled, Disabled or set 
to Inherit (it inherits the value from the parent)", since = "4.20.1.0")
     ApiConstants.ApiKeyAccess apiKeyAccess;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)

Review Comment:
   IMO, we don't need to return this in user response.



##########
plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java:
##########
@@ -280,12 +283,22 @@ public ListResponse<? extends BaseResponse> listApis(User 
user, String name) {
                         
ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, 
"accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == 
RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all 
APIs are allowed.",
-                        
ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, 
"accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = 
accountService.getUserAccountById(user.getId());
+            Map<String, String> userAccDetails = userAccount.getDetails();
+            if (MapUtils.isNotEmpty(userAccDetails)) {

Review Comment:
   These if checks doesn't seem correct. If my understanding is correct, if 
there is a user detail value stored for a user (not password change required) 
and the user tries to do list apis, it will return all the APIs.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to