Follow-up to #2418119: REST user updates bypass tightened user account change validation
The original fix invoked the password service directly. Instead it needs to invoke the user.auth service, since the password validation may proceed thorough an external service or alternative password storage.
The UserAuthInterface may need to be enhanced to also have a method to accept a pre-loaded user entity rather than always loading based on user name.
Problem
Proposed resolution
Remaining tasks
-
Comment | File | Size | Author |
---|---|---|---|
#6 | 2503113-6.patch | 5.27 KB | dawehner |
#6 | 2503113-6-fail.patch | 4.4 KB | dawehner |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedComment #2
alexpottComment #3
dawehnerThat seems to be just a copy of the old issue summary ... let's skip it to not get confused ...
I'm wondering whether the password checking for itself adds value or whether we always want to use the user authentication.
Maybe we could provide a special field which provides user authentication, given that the password field is a generic field type as part of core
and user authentication is an additional concept on top of that.
The user entity would then go with the password field with the user authentication constraint, while other people can still use a generic password field.
Comment #4
andypostComment #5
dawehnerLet's try to work on that.
Thank you @andypost for adding this sort of related issue
Comment #6
dawehnerI think we don't need it, because we call this just in case we change an already saved user.
Comment #7
webchickTalked to Peter. This will cause issues for anyone using REST + non-local auth, but that isn't "the system" being unusable:
"it's not grossly broken, just using the wrong api"
Downgrading to major as a result. If there's something directly exploitable, let's revisit. ATM it sounds like people just won't be able to authenticate at all.
Comment #8
dawehnerSo let's assume you want to simple use a different authentication. You replace the user.auth service so the UI uses that to login.
Would you expect the password field in your user edit form to talk with the authentication service or with the storage in user, which stores something totally different?
Comment #13
Wim Leers