[ https://issues.apache.org/jira/browse/SYNCOPE-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò updated SYNCOPE-1388: -------------------------------------------- Fix Version/s: 3.0.0 2.1.2 2.0.11 > mustChangePassword flag does not prevent user from invoking actions > ------------------------------------------------------------------- > > Key: SYNCOPE-1388 > URL: https://issues.apache.org/jira/browse/SYNCOPE-1388 > Project: Syncope > Issue Type: Bug > Components: core > Affects Versions: 2.0.8, 2.1.1 > Reporter: Lukas Funk > Priority: Major > Fix For: 2.0.11, 2.1.2, 3.0.0 > > > If a user has {{mustChangePassword}} set to {{true}}, the user can normally > authenticate himself (which is expected), get his user information and even > trigger a self-update on his user object. The later two should not be allowed. > Before the user can do anything except acquire an accesstoken, he should call > {{/users/self/mustChangePassword}} API which will change the password and > sets the {{mustChangePassword}} set to {{false}} > *To reproduce the issue using the REST-API* > Given the admin has set the "mustChangePassword" flag to "true" for user > "rossini" > When the user "rossini" acquire an accesstoken, then the access token is > returned. (I haven't tested the behavior with basic Auth.) - correct > behaviour! > When the user "rossini" queries GET /users/self, then the user object is > returned and the header "x-syncope-entitlements: > \{"MUST_CHANGE_PASSWORD":[]}" is set. > *Expected*: Return error 403 with additional information that password must > be reset. > When the user "rossini" uses PATCH /users/self and sets the > "mustChangePassword" flag to "false", then the user object is updated (status > 200). > *Expected*: Return error 403 with additional information that password must > be reset. -- This message was sent by Atlassian JIRA (v7.6.3#76005)