Lukas Funk created SYNCOPE-1388:
-----------------------------------
Summary: mustChangePassword flag does not prevent user from
invoking actions
Key: SYNCOPE-1388
URL: https://issues.apache.org/jira/browse/SYNCOPE-1388
Project: Syncope
Issue Type: Bug
Components: core
Affects Versions: 2.1.1, 2.0.8
Reporter: Lukas Funk
If a user hasĀ {{mustChangePassword}} set to {{true}}, the user can normally
authenticate himself (which is expected), get his user information and even
trigger a self-update on his user object. The later two should not be allowed.
Before the user can do anything except acquire an accesstoken, he should call
{{/users/self/mustChangePassword}} API which will change the password and sets
the {{mustChangePassword}} set to {{false}}
*To reproduce the issue using the REST-API*
Given the admin has set the "mustChangePassword" flag to "true" for user
"rossini"
When the user "rossini" acquire an accesstoken, then the access token is
returned. (I haven't tested the behavior with basic Auth.) - correct behaviour!
When the user "rossini" queries GET /users/self, then the user object is
returned and the header "x-syncope-entitlements: \{"MUST_CHANGE_PASSWORD":[]}"
is set.
*Expected*: Return error 403 with additional information that password must be
reset.
When the user "rossini" uses PATCH /users/self and sets the
"mustChangePassword" flag to "false", then the user object is updated (status
200).
*Expected*: Return error 403 with additional information that password must be
reset.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
