Details
-
New Feature
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
Description
In the CMS application a logged in (non-external) user can change its password, as implemented in the ChangePasswordShortcutPlugin.
Furthermore, when a user's password is about to be expired, a warning will be shown in the dashboard.
Finally, if a user's password is expired, the user no longer will be allowed to login.
The current implementation however uses the CMS Admin perspective User object, which has/requires read access to the repository user as well as the security configuration.
Which is fine/needed (for now) within the CMS Admin perspective itself, but should be unnecessary for a regular user, and thereby currently requires additional security domain configuration to allow this.
To simplify and the security domain configuration for this, a new ChangePasswordManager will be added to the RepositorySecurityManager (see: REPO-2253), to replace the direct read access needed by the ChangePasswordShortcutPlugin and the PasswordValidator implementations!
The ChangePasswordManager will provide the same / similar logic currently provided by the CMS Admin User object, but only for the current logged in user.
And like the other managers provided by the RepositorySecurityManager it will make use of their shared system session to perform its tasks (thus not needing additional security domain access configuration).
The ChangePasswordManager can be accessed for the current HippoSession as follows:
hippoSession.getWorkspace().getSecurityManager().getChangePasswordManager()
Note: only regular users are allowed to change their password,, e.g. users which are not:
HippoSession.isSystemUser() || HippoSession.getUser().isSystemUser() || HippoSession.getUser().isExternal()
otherwise an AccessDeniedException will be thrown when trying to retrieve the ChangePasswordManager.
Attachments
Issue Links
- is a result of
-
CMS-12201 Adding a dedicated security domain to allow users to (only) modify their own user node.
- Closed