Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-13190

Cannot update password with password policy enabled

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Unresolved
    • Icon: L3 - Default L3 - Default
    • None
    • 7.11.20, 7.14.5, 7.13.11, 7.12.17, 7.15.0-alpha4
    • engine

      Environment (Required on creation):

      Camunda 7.14.0

      Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

      Newly registered users cannot change their password with the help of the Welcome web application. Password validation (according to password policy) always returns an error - password is not valid. In Chrome debug console it is possible to see that on password validation, the server returns 401 (not authorized error) since the user does not have CREATE permission for object type User. This is expected - an ordinary user must not have permissions to create new users.

      Steps to reproduce (Required on creation):

      1. Enable Authorization and Password Policy: 
        camunda.bpm:
  generic-properties:
    properties:
      enable-password-policy: true
  authorization.enabled: true
      1. Register a new user in Camunda Admin.
      2. Login with this user to Welcome application.
      3. Try to set new password for this user.

      Observed Behavior (Required on creation):

      Password validation (according to password policy) always returns an error - password is not valid.

      Expected behavior (Required on creation):

      When correct password is provided (which conforms to Password policy), password validation must be successful.

      Root Cause (Required on prioritization):

      Root cause is class org.camunda.bpm.engine.rest.impl.IdentityRestServiceImpl, and, particularly, method below. In this method there is an attempt to create a new user during the password validation, which leads to the problem described:

      @Override
public Response checkPassword(PasswordPolicyRequestDto dto) {
  ...
  User user = null;      
  UserProfileDto profileDto = dto.getProfile();      
  if (profileDto != null) {
    ...
    user = identityService. newUser(id);
    user.setFirstName(profileDto.getFirstName());
    user.setLastName(profileDto.getLastName());
    user.setEmail(profileDto.getEmail());
    ...
  }
  ...
}

      Solution Ideas (Optional):

      Instead of creating a new user, a lookup of an existing one could suffice, like this:

        ...
  User user = null;
  UserProfileDto profileDto = dto.getProfile();
  if (profileDto != null) {
    ...
    // <patch>
    user = identityService.createUserQuery().userId(id).singleResult();
    // </patch>
    ...
  }
  ...
}

      Hints (Optional):

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              Nesterenko Alexey
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: