U4-7009 - Changing passwords design oversight

Created by Ferdy Hoefakker 24 Aug 2015, 07:46:21 Updated by Shannon Deminick 18 Apr 2017, 10:25:15

Subtask of: UAASSCRUM-810

By changing the enablePasswordReset and allowManuallyChangingPassword to false, you force a user to enter his current password when using the "Change password" dashboard feature.

However, the control in the actual user section seems to be the same control as the one on the dashboard. This is not a desired design as an administrator can no longer reset a users password this way (since he doesn't know the current password).

4 Attachments


Shannon Deminick 16 Mar 2017, 07:58:17

That is the entire purpose of allowManuallyChangingPassword , if you set this to false, then you must have the password to reset it if you have also set enablePasswordReset to false!

Jeffrey Schoemaker 17 Mar 2017, 12:09:40

@Shandem Hi Shannon, I agree with your comment but in a lot of our security pentests we always get the remark that a user should not have the possibility to change his password without entering his old password. That would require to set the setting to False => Great, we'll pass the pentest.

But if now an administrator that has access to the User-section wants to reset somebody's password because the forgot it, that is impossible because in the User-section you also have to specify the old password (which you don't know).

I think the currently functionality works for the user, but it should have no impact on the User Section, where you (as a administrator) would never have to enter the old password.

Does that make sense?

Shannon Deminick 21 Mar 2017, 08:33:21

I guess if you have both enablePasswordReset="false" allowManuallyChangingPassword="false" specified, then sure i guess the only way to 'reset' or change the password would be to allow the admin to do it since they wouldn't be able to rest their password with the forgot password functionality.

Sebastiaan Janssen 21 Mar 2017, 08:47:22

Refers to: https://our.umbraco.org/forum/contributing-to-umbraco-cms/84681-umbraco-76-feedback#comment-268274

I tested this before beta and swear that I had the "reset password" checkbox but now I don't in the beta. So yes, if those conditions ( enablePasswordReset="false" allowManuallyChangingPassword="false") are true then we should allow for a hard reset - but only for admins and only in the Users section, not in the fly-out in the content section. Also for resting member passwords, by the way.

Sebastiaan Janssen 11 Apr 2017, 18:54:42

PR: https://github.com/umbraco/Umbraco-CMS/pull/1879

Asbjørn Riis-Knudsen 13 Apr 2017, 10:50:31

I ran into this when creating a new user. When allowManuallyChangingPassword="false" is set, it asks for the current password. Since the user is being created, there is no current password, yet the field is mandatory. So, in effect, I had to disable that setting to be able to set a password for a newly created user.

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.6.0

Sprint: Sprint 57

Story Points: 1