From 6fb7ce78ab43136009e9e99aa171189cb2a74c14 Mon Sep 17 00:00:00 2001 From: Matt Ward Date: Thu, 24 Nov 2016 16:58:55 +0000 Subject: [PATCH] REPO-1627: oldPassword/password validation improvement git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@133094 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- source/java/org/alfresco/rest/api/impl/PeopleImpl.java | 4 ++++ source/test-java/org/alfresco/rest/api/tests/TestPeople.java | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java index 3b2803e43f..411b978acc 100644 --- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java +++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java @@ -519,6 +519,10 @@ public class PeopleImpl implements People // The user is not an admin user and is not attempting to update *their own* details. throw new PermissionDeniedException(); } + if (!isAdminAuthority() && person.getOldPassword() != null && person.getPassword() == null) + { + throw new IllegalArgumentException("To change password, both 'oldPassword' and 'password' fields are required."); + } final String personIdToUpdate = validatePerson(personId); final Map properties = person.toProperties(); diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java index 1369c47c92..4a1eca19d9 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java @@ -1030,6 +1030,10 @@ public class TestPeople extends EnterpriseTestApi // update with no oldPassword people.update(me.getId(), qjson("{ `password`:`newpassword456` }"), 403); + + // update with no password + people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456`, `password`:`` }"), 400); + people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456` }"), 400); } @Test