From e420b16bda4342fd803eb147de44e9ef7e7ca939 Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Tue, 6 Dec 2016 17:17:56 +0000 Subject: [PATCH] Merged 5.2.0 (5.2.0) to HEAD (5.2) 133094 mward: REPO-1627: oldPassword/password validation improvement git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@133390 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- source/java/org/alfresco/rest/api/impl/PeopleImpl.java | 4 ++++ source/test-java/org/alfresco/rest/api/tests/TestPeople.java | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java index 3b2803e43f..411b978acc 100644 --- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java +++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java @@ -519,6 +519,10 @@ public class PeopleImpl implements People // The user is not an admin user and is not attempting to update *their own* details. throw new PermissionDeniedException(); } + if (!isAdminAuthority() && person.getOldPassword() != null && person.getPassword() == null) + { + throw new IllegalArgumentException("To change password, both 'oldPassword' and 'password' fields are required."); + } final String personIdToUpdate = validatePerson(personId); final Map properties = person.toProperties(); diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java index 1369c47c92..4a1eca19d9 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java @@ -1030,6 +1030,10 @@ public class TestPeople extends EnterpriseTestApi // update with no oldPassword people.update(me.getId(), qjson("{ `password`:`newpassword456` }"), 403); + + // update with no password + people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456`, `password`:`` }"), 400); + people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456` }"), 400); } @Test