Password policy table is not shown when user 1 has no roles.

Created on 19 April 2023, over 1 year ago
Updated 7 April 2024, 9 months ago

Problem/Motivation

User 1 does not need to have any roles to gain all permissions. If this user does not have any role (other than authenticated user) and no policies apply to authenticated user then the policy is not applied when user 1 edit's their password or another user's password.

Steps to reproduce

Set up user 1 with no roles.
Set up a number of password policies ensuring none of them have 'authenticated' user role. Set them all to show the policy table.
Edit the password of any user, including their own.

The result is that the policy table will not show and the policy will not be applied.

Proposed resolution

Add to the existing logic in PasswordPolicyValidationManager.php to check for user 1. For user 1 look up the admin role in Role settings and check to see if this is in user 1's roles. If not add it.
I supply a patch that does this by creating a new protected method of this class called getUserRoles. This is used to replace $this->currentUser->getRoles() in this classes methods tableShouldBeVisible and validationShouldRun.

Remaining tasks

I also notice that this logic is using the currently logged in user rather than the user being edited and I am not sure if that is correct.

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Needs review

Version

4.0

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom Rory Downes

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024