From 6a4b436d4740bc8bd8f059a797ff5756c104969f Mon Sep 17 00:00:00 2001 From: Garrett Date: Thu, 9 Jun 2022 23:41:06 +0000 Subject: [PATCH] fix: allow admins to reset their own pass without old_password --- coderd/users.go | 12 +++++++----- coderd/users_test.go | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/coderd/users.go b/coderd/users.go index f892262e21ee6..37cab2cd394c2 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -384,7 +384,6 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) { var ( user = httpmw.UserParam(r) - apiKey = httpmw.APIKey(r) params codersdk.UpdateUserPasswordRequest ) @@ -410,10 +409,13 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) { return } - // we want to require old_password field if the user is changing their - // own password. This is to prevent a compromised session from being able - // to change password and lock out the user. - if user.ID == apiKey.UserID { + // admins can change passwords without sending old_password + if params.OldPassword == "" { + if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) { + return + } + } else { + // if they send something let's validate it ok, err := userpassword.Compare(string(user.HashedPassword), params.OldPassword) if err != nil { httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{ diff --git a/coderd/users_test.go b/coderd/users_test.go index dffc535a24044..c1ec00fd97378 100644 --- a/coderd/users_test.go +++ b/coderd/users_test.go @@ -480,14 +480,14 @@ func TestUpdateUserPassword(t *testing.T) { }) require.Error(t, err, "member should not be able to update own password without providing old password") }) - t.Run("AdminCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) { + t.Run("AdminCanUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) { t.Parallel() client := coderdtest.New(t, nil) _ = coderdtest.CreateFirstUser(t, client) err := client.UpdateUserPassword(context.Background(), "me", codersdk.UpdateUserPasswordRequest{ Password: "newpassword", }) - require.Error(t, err, "admin should not be able to update own password without providing old password") + require.NoError(t, err, "admin should be able to update own password without providing old password") }) }