[ https://issues.apache.org/jira/browse/SYNCOPE-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16669044#comment-16669044 ]
ASF subversion and git services commented on SYNCOPE-1388: ---------------------------------------------------------- Commit 9488345f84951b74f4604852391815266c285fbb in syncope's branch refs/heads/2_0_X from [~ilgrosso] [ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=9488345 ] [SYNCOPE-1388] Now only POST /user/self/mustChangePassword is allowed when mustChangePassword flag is set on user > mustChangePassword flag does not prevent user from invoking actions > ------------------------------------------------------------------- > > Key: SYNCOPE-1388 > URL: https://issues.apache.org/jira/browse/SYNCOPE-1388 > Project: Syncope > Issue Type: Bug > Components: core > Affects Versions: 2.0.8, 2.1.1 > Reporter: Lukas Funk > Assignee: Francesco Chicchiriccò > Priority: Major > Fix For: 2.0.11, 2.1.2, 3.0.0 > > > If a user has {{mustChangePassword}} set to {{true}}, the user can normally > authenticate himself (which is expected), get his user information and even > trigger a self-update on his user object. The later two should not be allowed. > Before the user can do anything except acquire an accesstoken, he should call > {{/users/self/mustChangePassword}} API which will change the password and > sets the {{mustChangePassword}} set to {{false}} > *Intended Use-Case* > Use the flag in a password policy, enforcing the user to change the password > every e.g. 90 days. > *To reproduce the issue using the REST-API* > Given the admin has set the "mustChangePassword" flag to "true" for user > "rossini" > When the user "rossini" acquire an accesstoken, then the access token is > returned. (I haven't tested the behavior with basic Auth.) - correct > behaviour! > When the user "rossini" queries GET /users/self, then the user object is > returned and the header "x-syncope-entitlements: > \{"MUST_CHANGE_PASSWORD":[]}" is set. > *Expected*: Return error 403 with additional information that password must > be reset. > When the user "rossini" uses PATCH /users/self and sets the > "mustChangePassword" flag to "false", then the user object is updated (status > 200). > *Expected*: Return error 403 with additional information that password must > be reset. -- This message was sent by Atlassian JIRA (v7.6.3#76005)