sudo87 commented on code in PR #12294:
URL: https://github.com/apache/cloudstack/pull/12294#discussion_r2667736003
##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -1585,10 +1606,36 @@ public UserAccount updateUser(UpdateUserCmd
updateUserCmd) {
if (mandate2FA != null && mandate2FA) {
user.setUser2faEnabled(true);
}
+ updatePasswordChangeRequired(caller, updateUserCmd, user);
_userDao.update(user.getId(), user);
return _userAccountDao.findById(user.getId());
}
+ private void updatePasswordChangeRequired(User caller, UpdateUserCmd
updateUserCmd, UserVO user) {
+ User.Source userSource = user.getSource();
+ if ((userSource == User.Source.SAML2 || userSource ==
User.Source.SAML2DISABLED || userSource == User.Source.LDAP)
+ && updateUserCmd.isPasswordChangeRequired()) {
+ logger.warn("Enforcing password change is not permitted for source
[{}].", user.getSource());
+ throw new InvalidParameterValueException("CloudStack does not
support enforcing password change for SAML or LDAP users.");
+ }
+
+ boolean isCallerSameAsUser = user.getId() == caller.getId();
+ boolean isPasswordResetRequired =
updateUserCmd.isPasswordChangeRequired() && !isCallerSameAsUser;
+ // Admins only can enforce passwordChangeRequired for user
+ if (isRootAdmin(caller.getAccountId()) ||
isDomainAdmin(caller.getAccountId())) {
+ if (isPasswordResetRequired) {
+ _userDetailsDao.addDetail(user.getId(),
PasswordChangeRequired, "true", false);
+ }
+ }
Review Comment:
PR description was outdated, enforcing password change is allowed for any
users with sufficient privilege to update their password.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
