Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 92bda0d

Browse files
f0sself0ssel
authored
fix: allow admins to reset their own pass without old_password (coder#2222)
1 parent b7234a6 commit 92bda0d

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

coderd/users.go

+7-5
Original file line numberDiff line numberDiff line change
@@ -384,7 +384,6 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW
384384
func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
385385
var (
386386
user = httpmw.UserParam(r)
387-
apiKey = httpmw.APIKey(r)
388387
params codersdk.UpdateUserPasswordRequest
389388
)
390389

@@ -410,10 +409,13 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
410409
return
411410
}
412411

413-
// we want to require old_password field if the user is changing their
414-
// own password. This is to prevent a compromised session from being able
415-
// to change password and lock out the user.
416-
if user.ID == apiKey.UserID {
412+
// admins can change passwords without sending old_password
413+
if params.OldPassword == "" {
414+
if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
415+
return
416+
}
417+
} else {
418+
// if they send something let's validate it
417419
ok, err := userpassword.Compare(string(user.HashedPassword), params.OldPassword)
418420
if err != nil {
419421
httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{

coderd/users_test.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -480,14 +480,14 @@ func TestUpdateUserPassword(t *testing.T) {
480480
})
481481
require.Error(t, err, "member should not be able to update own password without providing old password")
482482
})
483-
t.Run("AdminCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
483+
t.Run("AdminCanUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
484484
t.Parallel()
485485
client := coderdtest.New(t, nil)
486486
_ = coderdtest.CreateFirstUser(t, client)
487487
err := client.UpdateUserPassword(context.Background(), "me", codersdk.UpdateUserPasswordRequest{
488488
Password: "newpassword",
489489
})
490-
require.Error(t, err, "admin should not be able to update own password without providing old password")
490+
require.NoError(t, err, "admin should be able to update own password without providing old password")
491491
})
492492
}
493493

0 commit comments

Comments
 (0)