Uploaded image for project: 'Webservices REST Module'
  1. Webservices REST Module
  2. RESTWS-885

Reset password REST endpoint requires privileges



    • Bug
    • Status: Code Review (Initial)
    • Should
    • Resolution: Unresolved
    • None
    • None
    • None


      I may be doing something wrong, but it seems to me that the REST endpoint added to allow a user to request a password reset will fail due to lack of privileges.

      This endpoint allows posting a username or email address to /passwordreset, with an objective of looking up an existing user by username or email, generate an activation key, assign it to that user, and then email a link out to that user's email to use to perform the reset.

      However, this function would typically be accessed by unauthenticated users, who are trying to reset their passwords to enable them to login. Specifically, it seems that the GET_USERS privilege is required by the UserService API in order to be able to look up a user by username or email. There may be further privileges required in addition to this.

      dkayiwa - am I doing something wrong?

      In the end, we are using the API directly with our own custom pages/controllers that utilize Proxy Privileges to get around this issue, but I'd be interested in either fixing this or learning how it is intended to be used with improved documentation.

      burke and mogoodrich FYI

      Gliffy Diagrams




              abertnamanya Namanya Abert
              mseaton Mike Seaton
              0 Vote for this issue
              4 Start watching this issue