[
https://issues.apache.org/jira/browse/RANGER-899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15288988#comment-15288988
]
Bryan Bende commented on RANGER-899:
------------------------------------
Thanks for pointing this out.... It looks like the reason for this exception is
the following code in UserMgr:
{code}
public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange
changeEmail) {
checkAccess(gjUser);
if (gjUser.getEmailAddress() != null) {
throw restErrorUtil.createRESTException(
"serverMsg.userMgrEmailChange",
MessageEnums.OPER_NO_PERMISSION, null,
null, ""
+ changeEmail);
}
{code}
Does anyone know why we would throw an exception if the email address is not
null?
Would be easy to remove this check, but it seems like it was there for a reason.
> Problem Changing/Updating emailAddress of logged in user using API:
> "{userId}/emailchange" of class org.apache.ranger.rest.UserREST.java
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-899
> URL: https://issues.apache.org/jira/browse/RANGER-899
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Tushar Dudhatra
> Assignee: Bryan Bende
> Priority: Minor
>
> While taking tour to the existing code I found something not good about this
> API. This API is for changing/updating emailAddress of logged in user. Here
> is what I have done:
> --- Case 1:
>
> 1) Created new user with Admin UI with this data:
> {"groupIdList":null,"status":1,"userRoleList":["ROLE_SYS_ADMIN"],"name":"user1","password":"user12345","firstName":"User1","lastName":"","emailAddress":"[email protected]"}
>
> 2) After this I logged in with username `user1`.
> 3) Tried hitting this POST URL using RESTClient : {base
> url}/service/users/5/emailchange. Data I posted: {"loginId":"user1",
> "emailAddress":"[email protected]", "oldPassword":"user12345"}
> It gave me 400 Bad Request with message "User doesn't have permission to
> perform this operation"
> Expected: It should allow me to change/update my email address
> --- Case 2:
> In this case when I tried creating another new user with username `user3`
> without giving emailId and saved it and followed the same steps. So again it
> gave me 400 Bad Request with message "User doesn't have permission to perform
> this operation".
> Reason is in back-end it will automatically set some random number in my
> email id if I don't provide. So While creating new user it doesn't matter
> whether I give email or not it will either save user given email or it will
> save some random system generated number in my emailId and hence emailId in
> database will never be empty and because of that I will never be able to
> change/update my emailId using this API.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
