Option to disable password change for external users

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.

https://orchardcore.net

BSD 3-Clause "New" or "Revised" License

7.35k stars 2.37k forks source link

Option to disable password change for external users #9713

Open jptissot opened 3 years ago

jptissot commented 3 years ago

If you create an account with Azure AD (or any other external provider) with the Do not create local password for external user option set to true and enable the Change Password feature.

The change password link is visible in TheTheme and the ChangePassword form is displayed but when you try to fill it and you don't have a local password, you get presented with the following error.

What should we do in this case?

hide this form and menu item?
Transform the form into a "Create a local password" form if the Allow registration option is set ?

MichaelPetrinolis commented 3 years ago

I wouldn't characterize it a bug, it is the designed behavior.

[x] As an admin, I want to disable external users from setting a local password
[x] As a user, I want to register with my external credentials without creating a password and we need
[ ] As an admin, I want to allow users without local password to create one
[ ] As a user, I want to set a local password for my account

I suggest to add an admin option to allow external users to set a password. And preferably, If reset password is enabled send a link to reset his password otherwise allow changing password without requiring the existing one.