Skip to content
This repository has been archived by the owner on Mar 1, 2024. It is now read-only.

3.2.0.0 - Users without WriteUsers can't update their own password due to including the enabled field. #86

Open
francinum opened this issue Jun 15, 2022 · 0 comments
Open

3.2.0.0 - Users without WriteUsers can't update their own password due to including the enabled field. #86

francinum opened this issue Jun 15, 2022 · 0 comments

Comments

@francinum
Copy link 

[13:40:30]: POST https://<ADDRESS>/User => {"password":"********************","oAuthConnections":null,"permissionSet":null,"group":null,"enabled":true,"createdAt":null,"systemIdentifier":null,"name":null,"id":7}
[13:40:30]: HTTP Forbidden: POST https://<ADDRESS>/User

Users without WriteUsers are unable to alter their own profile due to enabled being sent in the request, as it having any value at all without the flag present will immediately drop the request as forbidden.

if ((!canEditAllUsers
	&& (model.Id != originalUser.Id
	|| model.Enabled.HasValue
	|| model.Group != null
	|| model.PermissionSet != null
	|| model.Name != null))
	|| (!passwordEdit && model.Password != null)
	|| (!oAuthEdit && model.OAuthConnections != null))
	return Forbid();
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@francinum