search

camunda / camunda-bpm-platform

Flexible framework for workflow and decision automation with BPMN and DMN. Integration with Quarkus, Spring, Spring Boot, CDI.
https://camunda.com/
Apache License 2.0
4.12k stars 1.56k forks source link

Cannot update password with password policy enabled #2485

Open ThorbenLindhauer opened 3 years ago

ThorbenLindhauer commented 3 years ago

This issue was imported from JIRA:

Field Value
JIRA Link CAM-13190
Reporter 2W2yRba
What is this name? This pseudonym name was generated based on the user name in JIRA to protect the personal data of our JIRA users. You can use this identifier to search for issues by the same reporter.
Has restricted visibility comments true

Environment (Required on creation):

Camunda 7.14.0

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

Newly registered users cannot change their password with the help of the Welcome web application. Password validation (according to password policy) always returns an error - password is not valid. In Chrome debug console it is possible to see that on password validation, the server returns 401 (not authorized error) since the user does not have CREATE permission for object type User. This is expected - an ordinary user must not have permissions to create new users.

Steps to reproduce (Required on creation):

  1. Enable Authorization and Password Policy:

    camunda.bpm:
generic-properties:
properties:
  enable-password-policy: true
authorization.enabled: true

  2. Register a new user in Camunda Admin.

  3. Login with this user to Welcome application.

  4. Try to set new password for this user.

Observed Behavior (Required on creation):

Password validation (according to password policy) always returns an error - password is not valid.

Expected behavior (Required on creation):

When correct password is provided (which conforms to Password policy), password validation must be successful.

Root Cause (Required on prioritization):

Root cause is class org.camunda.bpm.engine.rest.impl.IdentityRestServiceImpl, and, particularly, method below. In this method there is an attempt to create a new user during the password validation, which leads to the problem described:

@Override
public Response checkPassword(PasswordPolicyRequestDto dto) {
  ...
  User user = null;      
  UserProfileDto profileDto = dto.getProfile();      
  if (profileDto != null) {
    ...
    user = identityService. newUser(id);
    user.setFirstName(profileDto.getFirstName());
    user.setLastName(profileDto.getLastName());
    user.setEmail(profileDto.getEmail());
    ...
  }
  ...
}

Solution Ideas (Optional):

Instead of creating a new user, a lookup of an existing one could suffice, like this:

  ...
  User user = null;
  UserProfileDto profileDto = dto.getProfile();
  if (profileDto != null) {
    ...
    // <patch>
    user = identityService.createUserQuery().userId(id).singleResult();
    // </patch>
    ...
  }
  ...
}

Hints (Optional):

Links:

ThorbenLindhauer commented 3 years ago

This comment was imported from JIRA and written by user @marstamm

Hi 2W2yRba,

thank you for opening this Bug Ticket an making us aware of it. I adjusted the ticket description slightly to make it easier to follow and reproduce. We can confirm the bug and will now decide how we continue with it.

As you already have a proposed code solution, we want to encourage you make a code contribution by opening a Pull Request at https://github.com/camunda/camunda-bpm-platform

Cheers Martin

ThorbenLindhauer commented 3 years ago

This comment was imported from JIRA and written by user @tmetzke

Hi 2W2yRba,

thanks again for pointing us to this issue. We will consider it in our future roadmap planning in order to fix this bug. In the meantime, if you would like to move forward with this already and speed up the process, we encourage you to open a PR as Martin already mentioned in the previous comment.

Thanks again and best regards, Tobias