We have moved to GitHub Issues
Created by Ferdy Hoefakker 24 Aug 2015, 07:46:21 Updated by Shannon Deminick 18 Apr 2017, 10:25:15
Subtask of: UAASSCRUM-810
By changing the enablePasswordReset and allowManuallyChangingPassword to false, you force a user to enter his current password when using the "Change password" dashboard feature.
However, the control in the actual user section seems to be the same control as the one on the dashboard. This is not a desired design as an administrator can no longer reset a users password this way (since he doesn't know the current password).
That is the entire purpose of allowManuallyChangingPassword , if you set this to false, then you must have the password to reset it if you have also set enablePasswordReset to false!
@Shandem Hi Shannon, I agree with your comment but in a lot of our security pentests we always get the remark that a user should not have the possibility to change his password without entering his old password. That would require to set the setting to False => Great, we'll pass the pentest.
But if now an administrator that has access to the User-section wants to reset somebody's password because the forgot it, that is impossible because in the User-section you also have to specify the old password (which you don't know).
I think the currently functionality works for the user, but it should have no impact on the User Section, where you (as a administrator) would never have to enter the old password.
Does that make sense?
I guess if you have both enablePasswordReset="false" allowManuallyChangingPassword="false" specified, then sure i guess the only way to 'reset' or change the password would be to allow the admin to do it since they wouldn't be able to rest their password with the forgot password functionality.
I tested this before beta and swear that I had the "reset password" checkbox but now I don't in the beta. So yes, if those conditions ( enablePasswordReset="false" allowManuallyChangingPassword="false") are true then we should allow for a hard reset - but only for admins and only in the Users section, not in the fly-out in the content section. Also for resting member passwords, by the way.
I ran into this when creating a new user. When allowManuallyChangingPassword="false" is set, it asks for the current password. Since the user is being created, there is no current password, yet the field is mandatory. So, in effect, I had to disable that setting to be able to set a password for a newly created user.
Backwards Compatible: True
Due in version: 7.6.0
Sprint: Sprint 57
Story Points: 1