@Override
public void define(WebService.NewController controller) {
WebService.NewAction action = controller.createAction("change_password")
- .setDescription("Update a user's password. Requires Administer System permission.")
+ .setDescription("Update a user's password. Authenticated users can change their own password, " +
+ "Administer System permission is required to change another user's password.")
.setSince("5.2")
.setPost(true)
.setHandler(this);
@Override
public void handle(Request request, Response response) throws Exception {
- userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+ userSession.checkLoggedIn();
String login = request.mandatoryParam(PARAM_LOGIN);
+ if (!login.equals(userSession.getLogin())) {
+ userSession.checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
+ }
+
String password = request.mandatoryParam(PARAM_PASSWORD);
UpdateUser updateUser = UpdateUser.create(login)
.setPassword(password)
assertThat(newPassword).isNotEqualTo(originalPassword);
}
+ @Test
+ public void update_password_on_self() throws Exception {
+ createUser();
+ session.clearCache();
+ String originalPassword = dbClient.userDao().selectByLogin(session, "john").getCryptedPassword();
+
+ userSessionRule.login("john");
+ tester.newPostRequest("api/users", "change_password")
+ .setParam("login", "john")
+ .setParam("password", "Valar Morghulis")
+ .execute()
+ .assertNoContent();
+
+ session.clearCache();
+ String newPassword = dbClient.userDao().selectByLogin(session, "john").getCryptedPassword();
+ assertThat(newPassword).isNotEqualTo(originalPassword);
+ }
+
private void createUser() {
dbClient.userDao().insert(session, new UserDto()
.setEmail("john@email.com")