Skip to content

Commit

Permalink
Prevent admin from invalidating their own password (#708)
Browse files Browse the repository at this point in the history
I don't think an admin would ever want to reset and invalidate their own
password rather than changing their password. If they did invalidate
their password, their sessions would be deleted, including their current
session. That would lead to the issue described in #705.
  • Loading branch information
matthew-white authored Jan 24, 2023
1 parent a3cc539 commit bc17ac3
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 7 deletions.
6 changes: 5 additions & 1 deletion src/components/user/row.vue
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,9 @@ except according to the terms contained in the LICENSE file.
{{ $t('action.editProfile') }}
</router-link>
</li>
<li>
<li :class="{ disabled }">
<a class="reset-password" href="#"
v-tooltip.aria-describedby="disabled ? $t('cannotResetPassword') : null"
@click.prevent="$emit('reset-password', user)">
{{ $t('action.resetPassword') }}&hellip;
</a>
Expand Down Expand Up @@ -158,6 +159,9 @@ export default {
"field": {
"sitewideRole": "Sitewide Role"
},
// An Administrator may reset the password for another Web User, but not for
// their own account.
"cannotResetPassword": "You may not reset your own password on this page. To change your password, edit your profile.",
// An Administrator may retire other Web Users, but not their own account.
"cannotRetire": "You may not retire yourself.",
"action": {
Expand Down
22 changes: 16 additions & 6 deletions test/components/user/reset-password.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,22 @@ describe('UserResetPassword', () => {
mockLogin({ email: '[email protected]', displayName: 'Alice' });
});

it('toggles the modal', () =>
load('/users', { root: false }).testModalToggles({
modal: UserResetPassword,
show: '.user-row .reset-password',
hide: '.btn-link'
}));
describe('reset password button', () => {
it('toggles the modal', () =>
load('/users', { root: false }).testModalToggles({
modal: UserResetPassword,
show: '.user-row .reset-password',
hide: '.btn-link'
}));

it('is disabled for the current user', async () => {
const component = await load('/users', { root: false });
const a = component.get('.user-row .reset-password');
a.element.parentNode.classList.contains('disabled').should.be.true();
a.should.have.ariaDescription(/^You may not reset your own password/);
await a.should.have.tooltip();
});
});

it('sends the correct request', () =>
mockHttp()
Expand Down
4 changes: 4 additions & 0 deletions transifex/strings_en.json
Original file line number Diff line number Diff line change
Expand Up @@ -3852,6 +3852,10 @@
"developer_comment": "This is the text of a form field."
}
},
"cannotResetPassword": {
"string": "You may not reset your own password on this page. To change your password, edit your profile.",
"developer_comment": "An Administrator may reset the password for another Web User, but not for their own account."
},
"cannotRetire": {
"string": "You may not retire yourself.",
"developer_comment": "An Administrator may retire other Web Users, but not their own account."
Expand Down

0 comments on commit bc17ac3

Please sign in to comment.