Details

    • Complexity:
      Low
    • Sprint:
      Sprint 2, Platform 2.0 Beta - RESTWS 1

      Description

      When a user is updated via REST, the user resource only saves the user account but doesn't actually update their password when specified.
      The quick fix would be to validate the password using OpenmrsUtil.validatePassword and then call UserService.changePassword after saving the user if the password not blank. This should only be allowed if the authenticated user is the same user whose password is being changed.

      Preferably the validation logic should be added to wherever the rest module does its validation so that the errors get send back in the response i.e check the resource to be of type UserAndPassword and then validate the password

      Dev Notes

      When a new user is getting created, we need to call saveUser(User, password) which was changed to saveUser(User) in 2.0 and you need add oldPassword and secretAnswer fields to the UserAndPassword class.
      When updating the user password, the user needs to provide their oldPassword or secretAnswer, override update method in UserResource1_8 and check if the password field is present, if it is then you need to change the user's password, you might need to include some restrictions to avoid brute force attacks. You might need a new one for 2.0 sub project since the changePassword methods might vary.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                wyclif Wyclif Luyima
                Reporter:
                wyclif Wyclif Luyima
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 hours
                  2h
                  Remaining:
                  Remaining Estimate - 2 hours
                  2h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified