Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By fago on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.0.x
Introduced in version:
8.0.0-beta10
Issue links:
Description:
If the currently logged in user (the user under which the requests are performed) is changed by a REST request, the existing password has to be provided in case a protected field (e-mail addresss or password) is to be changed.
Consider the following example to change the password via REST:
PATCH request before:
{
"pass": [
{
"value": "new-pass"
}
]
}PATCH request after:
{
"pass": [
{
"value": "new-pass",
"existing": "existing-pass"
}
]
}If the existing password is omitted, the following error will be thrown using the exit code 422:
Value 'Unprocessable Entity: validation failed. pass: Your current password is missing or incorrect; it's required to change the Password. ' is equal to value 'Unprocessable Entity: validation failed. pass: Your current password is missing or incorrect; it's required to change the Password. '.
API-level
The same applies on the API level, if the currently logged in user is updated and user validation is performed. In that case the existing password should be entered by the user and provided via the setExistingPassword()method on the user object.
Impacts:
Module developers
Comments
Do not check the existing password
Hi
When I use this method, the existing password is not checked at all and every password I write is accepted and I can change the new password.
Please advise what I need to do to check the current password .
Thank you