You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Eric Norman (Jira)" <ji...@apache.org> on 2020/10/10 22:28:00 UTC
[jira] [Created] (SLING-9808) Add configuration option to always
allow users to change their own password
Eric Norman created SLING-9808:
----------------------------------
Summary: Add configuration option to always allow users to change their own password
Key: SLING-9808
URL: https://issues.apache.org/jira/browse/SLING-9808
Project: Sling
Issue Type: Improvement
Reporter: Eric Norman
Assignee: Eric Norman
Fix For: JCR Jackrabbit User Manager 2.2.12
Oak generally requires that the user be granted the rep:userManagement privilege in order to be able to call the User.changePassword API.
However, in an environment where security is more locked down, it may be necessary for the user to have the ability to change their own password but not get all the other access that being granted rep:userManagement would allow (i.e. User.disable or Authorizable.remove)
To make that possible, the ChangeUserPassword servlet should have a configurable property to specify whether a user is allowed to change their own password even if they haven't been granted the rep:userManagement privilege. If the user doesn't have the required rep:userManagement privilege, then the work should be done on their behalf by a service user.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)