[jira] [Commented] (SYNCOPE-1388) mustChangePassword flag does not prevent user from invoking actions

Tue, 30 Oct 2018 10:04:11 -0700 


    [ 
https://issues.apache.org/jira/browse/SYNCOPE-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16669044#comment-16669044
 ] 

ASF subversion and git services commented on SYNCOPE-1388:
----------------------------------------------------------

Commit 9488345f84951b74f4604852391815266c285fbb in syncope's branch 
refs/heads/2_0_X from [~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=9488345 ]

[SYNCOPE-1388] Now only POST /user/self/mustChangePassword is allowed when 
mustChangePassword flag is set on user


> mustChangePassword flag does not prevent user from invoking actions
> -------------------------------------------------------------------
>
>                 Key: SYNCOPE-1388
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1388
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.8, 2.1.1
>            Reporter: Lukas Funk
>            Assignee: Francesco Chicchiriccò
>            Priority: Major
>             Fix For: 2.0.11, 2.1.2, 3.0.0
>
>
> If a user has {{mustChangePassword}} set to {{true}}, the user can normally 
> authenticate himself (which is expected), get his user information and even 
> trigger a self-update on his user object. The later two should not be allowed.
> Before the user can do anything except acquire an accesstoken, he should call 
> {{/users/self/mustChangePassword}} API which will change the password and 
> sets the {{mustChangePassword}} set to {{false}}
> *Intended Use-Case*
> Use the flag in a password policy, enforcing the user to change the password 
> every e.g. 90 days.
> *To reproduce the issue using the REST-API*
>  Given the admin has set the "mustChangePassword" flag to "true" for user 
> "rossini"
> When the user "rossini" acquire an accesstoken, then the access token is 
> returned. (I haven't tested the behavior with basic Auth.) - correct 
> behaviour!
> When the user "rossini" queries GET /users/self, then the user object is 
> returned and the header "x-syncope-entitlements: 
> \{"MUST_CHANGE_PASSWORD":[]}" is set.
>  *Expected*: Return error 403 with additional information that password must 
> be reset.
> When the user "rossini" uses PATCH /users/self and sets the 
> "mustChangePassword" flag to "false", then the user object is updated (status 
> 200).
>  *Expected*: Return error 403 with additional information that password must 
> be reset.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to