-
Bug Report
-
Resolution: Unresolved
-
L3 - Default
-
None
-
7.11.20, 7.14.5, 7.13.11, 7.12.17, 7.15.0-alpha4
Environment (Required on creation):
Camunda 7.14.0
Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):
Newly registered users cannot change their password with the help of the Welcome web application. Password validation (according to password policy) always returns an error - password is not valid. In Chrome debug console it is possible to see that on password validation, the server returns 401 (not authorized error) since the user does not have CREATE permission for object type User. This is expected - an ordinary user must not have permissions to create new users.
Steps to reproduce (Required on creation):
- Enable Authorization and Password Policy:
camunda.bpm: generic-properties: properties: enable-password-policy: true authorization.enabled: true
- Register a new user in Camunda Admin.
- Login with this user to Welcome application.
- Try to set new password for this user.
Observed Behavior (Required on creation):
Password validation (according to password policy) always returns an error - password is not valid.
Expected behavior (Required on creation):
When correct password is provided (which conforms to Password policy), password validation must be successful.
Root Cause (Required on prioritization):
Root cause is class org.camunda.bpm.engine.rest.impl.IdentityRestServiceImpl, and, particularly, method below. In this method there is an attempt to create a new user during the password validation, which leads to the problem described:
@Override public Response checkPassword(PasswordPolicyRequestDto dto) { ... User user = null; UserProfileDto profileDto = dto.getProfile(); if (profileDto != null) { ... user = identityService. newUser(id); user.setFirstName(profileDto.getFirstName()); user.setLastName(profileDto.getLastName()); user.setEmail(profileDto.getEmail()); ... } ... }
Solution Ideas (Optional):
Instead of creating a new user, a lookup of an existing one could suffice, like this:
... User user = null; UserProfileDto profileDto = dto.getProfile(); if (profileDto != null) { ... // <patch> user = identityService.createUserQuery().userId(id).singleResult(); // </patch> ... } ... }
Hints (Optional):
This is the controller panel for Smart Panels app
[CAM-13190] Cannot update password with password policy enabled
Hi Nesterenko,
thanks again for pointing us to this issue. We will consider it in our future roadmap planning in order to fix this bug.
In the meantime, if you would like to move forward with this already and speed up the process, we encourage you to open a PR as Martin already mentioned in the previous comment.
Thanks again and best regards,
Tobias
This ticket was migrated to github: https://github.com/camunda/camunda-bpm-platform/issues/2485. Please use this link for any future references and continue any discussion there.
Hi Nesterenko,
thank you for opening this Bug Ticket an making us aware of it. I adjusted the ticket description slightly to make it easier to follow and reproduce. We can confirm the bug and will now decide how we continue with it.
As you already have a proposed code solution, we want to encourage you make a code contribution by opening a Pull Request at https://github.com/camunda/camunda-bpm-platform
Cheers
Martin