[OPENAM-5695] Allow admin users to update user's password without the old password Created: 20/Mar/15 Updated: 20/Nov/16 Resolved: 22/Sep/15
|Affects Version/s:||11.0.2, 11.0.3, 12.0.0, 13.0.0|
|Fix Version/s:||12.0.3, 13.0.0|
|Reporter:||Quentin CASTEL [X] (Inactive)||Assignee:||Quentin CASTEL [X] (Inactive)|
|Sprint:||Sprint 81 - Sustaining, Sprint 83 - Sustaining, Sprint 84 - Sustaining, Sustaining Sprint 12|
|Support Ticket IDs:|
Admin users should have the necessary delegation permissions to update the user's password without the old password.
if the user who is being updated is actually the same user as who performs the operation, the request should be rejected (to enforce that changing the current user's password requires the current password), otherwise the request should be let through, and let it to potentially fail due to not having the necessary delegation permissions that would allow the update of the user entry.
|Comment by Alan Beecraft [ 30/Jul/15 ]|
The two cases are similar : the goal is to change another users password via the JSON REST API without providing the old users password:
In this sense we really need the implementation of 5695 as our application does not use the amadmin user but a different privileged user. We want to have all AdminUsers be able to change another users password without providing the users old password.
|Comment by Quentin CASTEL [X] (Inactive) [ 22/Sep/15 ]|
Fixed in 12.0.3 r15838
|Comment by Jake Feasel [ 25/Sep/15 ]|
This JIRA does not show the full REST call necessary to reset a password. Also, it doesn't make sense that admins should have to enter the old password for themselves - compare with unix "root" passwd behavior and the windows administrative password reset GUI - neither require entering your old password when you are an admin.