Skip to content

Commit 928315f

Browse files
f0sselkylecarbs
f0ssel
authored and
kylecarbs
committed
fix: allow admins to reset their own pass without old_password (#2222)
1 parent 8eaa853 commit 928315f

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

coderd/users.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -384,7 +384,6 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW
384384
func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
385385
var (
386386
user = httpmw.UserParam(r)
387-
apiKey = httpmw.APIKey(r)
388387
params codersdk.UpdateUserPasswordRequest
389388
)
390389

@@ -410,10 +409,13 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
410409
return
411410
}
412411

413-
// we want to require old_password field if the user is changing their
414-
// own password. This is to prevent a compromised session from being able
415-
// to change password and lock out the user.
416-
if user.ID == apiKey.UserID {
412+
// admins can change passwords without sending old_password
413+
if params.OldPassword == "" {
414+
if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
415+
return
416+
}
417+
} else {
418+
// if they send something let's validate it
417419
ok, err := userpassword.Compare(string(user.HashedPassword), params.OldPassword)
418420
if err != nil {
419421
httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{

coderd/users_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -480,14 +480,14 @@ func TestUpdateUserPassword(t *testing.T) {
480480
})
481481
require.Error(t, err, "member should not be able to update own password without providing old password")
482482
})
483-
t.Run("AdminCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
483+
t.Run("AdminCanUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
484484
t.Parallel()
485485
client := coderdtest.New(t, nil)
486486
_ = coderdtest.CreateFirstUser(t, client)
487487
err := client.UpdateUserPassword(context.Background(), "me", codersdk.UpdateUserPasswordRequest{
488488
Password: "newpassword",
489489
})
490-
require.Error(t, err, "admin should not be able to update own password without providing old password")
490+
require.NoError(t, err, "admin should be able to update own password without providing old password")
491491
})
492492
}
493493

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy