SONAR-6468 Allow any user to change their own password

diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/ChangePasswordAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/ChangePasswordAction.java
index e2d81b2bb70b362b0e3852ef490439a83dab6608..76d2d61596e07ea294934e0d020579cc4737b7ad 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/ChangePasswordAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/ChangePasswordAction.java
@@ -44,7 +44,8 @@ public class ChangePasswordAction implements UsersWsAction {
   @Override
   public void define(WebService.NewController controller) {
     WebService.NewAction action = controller.createAction("change_password")
-      .setDescription("Update a user's password. Requires Administer System permission.")
+      .setDescription("Update a user's password. Authenticated users can change their own password, " +
+        "Administer System permission is required to change another user's password.")
       .setSince("5.2")
       .setPost(true)
       .setHandler(this);
@@ -62,9 +63,13 @@ public class ChangePasswordAction implements UsersWsAction {
 
   @Override
   public void handle(Request request, Response response) throws Exception {
-    userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+    userSession.checkLoggedIn();
 
     String login = request.mandatoryParam(PARAM_LOGIN);
+    if (!login.equals(userSession.getLogin())) {
+      userSession.checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+    }
+
     String password = request.mandatoryParam(PARAM_PASSWORD);
     UpdateUser updateUser = UpdateUser.create(login)
       .setPassword(password)

diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/ChangePasswordActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/ChangePasswordActionTest.java
index ee6c1e4b1720cb6dffa816d0327ecc1a7bcb3817..092762c4e2ded43d7ade34edf2003f1a31caedcc 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/ChangePasswordActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/ChangePasswordActionTest.java
@@ -136,6 +136,24 @@ public class ChangePasswordActionTest {
     assertThat(newPassword).isNotEqualTo(originalPassword);
   }
 
+  @Test
+  public void update_password_on_self() throws Exception {
+    createUser();
+    session.clearCache();
+    String originalPassword = dbClient.userDao().selectByLogin(session, "john").getCryptedPassword();
+
+    userSessionRule.login("john");
+    tester.newPostRequest("api/users", "change_password")
+      .setParam("login", "john")
+      .setParam("password", "Valar Morghulis")
+      .execute()
+      .assertNoContent();
+
+    session.clearCache();
+    String newPassword = dbClient.userDao().selectByLogin(session, "john").getCryptedPassword();
+    assertThat(newPassword).isNotEqualTo(originalPassword);
+  }
+
   private void createUser() {
     dbClient.userDao().insert(session, new UserDto()
       .setEmail("john@email.com")