old password validation on change password flow #15202

defelmnq · 2024-10-23T18:21:05Z

The flow allowing users to change their current password is missing the part validating that the old password is indeed the correct one.

There's two logic :

One, as an admin, allowing me to change the password of any user. This one is used to reset, as an admin, the password of a user when this one forget it.
One, as a regular user, allowing me to change my password. This flow is done from your settings page and requires you to know your current password.

The logic is here.

Working on #15202 The main change is to fetch the user doing the action to verify if it should be able to change the password if there's no old_password set.

defelmnq · 2024-10-28T23:53:40Z

Fixed ✅

coder-labeler bot added the bug risk Prone to bugs label Oct 23, 2024

defelmnq mentioned this issue Oct 23, 2024

fix: improve password validation flow #15132

Merged

defelmnq self-assigned this Oct 24, 2024

defelmnq mentioned this issue Oct 24, 2024

fix(coderd): improve password update logic #15210

Merged

coadler removed the bug risk Prone to bugs label Oct 24, 2024

defelmnq added a commit that referenced this issue Oct 24, 2024

fix(coderd): improve password update logic (#15210)

e566872

Working on #15202 The main change is to fetch the user doing the action to verify if it should be able to change the password if there's no old_password set.

defelmnq closed this as completed Oct 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

old password validation on change password flow #15202

old password validation on change password flow #15202

defelmnq commented Oct 23, 2024

defelmnq commented Oct 28, 2024

old password validation on change password flow #15202

old password validation on change password flow #15202

Comments

defelmnq commented Oct 23, 2024

defelmnq commented Oct 28, 2024