Generator-jhipster: Changing a user's password does not require knowing the existing password

Created on 26 Dec 2017  ยท  6Comments  ยท  Source: jhipster/generator-jhipster

Using JHipster version installed locally in current project's node_modules
Executing jhipster:info
Options:

JHipster Version(s)
[email protected] /home/moshe/IdeaProjects/innovendiMC
โ”œโ”€โ”€ [email protected] 
โ”œโ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”€ [email protected] 
โ”œโ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”€ [email protected] 
โ”œโ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”€ [email protected] 
โ”œโ”€โ”ฌ [email protected]
โ”‚ โ””โ”€โ”€ [email protected] 
โ””โ”€โ”ฌ [email protected]
  โ””โ”€โ”€ [email protected]
##### **JHipster configuration, a `.yo-rc.json` file generated in the root folder**
.yo-rc.json file 
{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.shekel.imc",
      "nativeLanguage": "en"
    },
    "jhipsterVersion": "4.13.0",
    "baseName": "innovendiMC",
    "packageName": "com.shekel.imc",
    "packageFolder": "com/shekel/imc",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": false,
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "postgresql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSocialSignIn": true,
    "enableSwaggerCodegen": false,
    "jwtSecretKey": "replaced-by-jhipster-info",
    "clientFramework": "angularX",
    "useSass": true,
    "clientPackageManager": "yarn",
    "applicationType": "monolith",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "otherModules": [
      {
        "name": "generator-jhipster-docker",
        "version": "2.2.0"
      },
      {
        "name": "generator-jhipster-bootstrap-material-design",
        "version": "3.5.1"
      },
      {
        "name": "generator-jhipster-swagger-cli",
        "version": "2.0.5"
      },
      {
        "name": "generator-jhipster-ci",
        "version": "1.0.0"
      },
      {
        "name": "generator-jhipster-pace",
        "version": "0.1.3"
      }
    ],
    "enableTranslation": true,
    "nativeLanguage": "en",
    "languages": [
      "en",
      "ro"
    ]
  }
}

JDL for the Entity configuration(s) entityName.json files generated in the .jhipster directory


JDL entity definitions

Environment and Tools
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)

git version 2.7.4

node: v6.12.2

npm: 5.5.1

bower: 1.8.0

yeoman: 2.0.0

yarn: 1.3.2

Docker version 17.09.1-ce, build 19e2cf6

docker-compose version 1.15.0, build e12f3b9

Congratulations, JHipster execution is complete!
Overview of the issue

Feature request:
When changing a password the user is only requested to fill in the new password without having to fill the existing password.

Motivation for or Use Case

This is a security issue, since it enables a person that doesn't know the current password to change it.

Reproduce the error

Generate any app using Jhipster, you will have the default user admin with password admin.
1) Log in using admin as the user and password
2) Goto: Account-> Password (in the upper right corner of the screen)
3) change the password to admin1

The password change succeeded without having to enter the existing password

Related issues
Suggest a Fix

Client side:
Add another text field for the current pasword

Server side:
Validate that existing password is the corrent.
If password correct - change to the new password
else, show error indicating the existing password is wrong

JHipster Version(s)

4.13.0

JHipster configuration
Entity configuration(s) entityName.json files generated in the .jhipster directory
Browsers and Operating System

Non OS or browser related

  • [X] Checking this box is mandatory (this is just to show you read everything)
area
Source
picture moshelior
👍2

Most helpful comment

@jdubois Yes. Next week

picture moshelior on 26 Dec 2017
🎉4

All 6 comments

Yes I know, but that's a lot of work. Don't worry about AngularJS as it will soon be deprecated.

jdubois picture jdubois on 26 Dec 2017

@moshelior are you available to do the PR? When could you work on this?

jdubois picture jdubois on 26 Dec 2017

@jdubois Yes. Next week

moshelior picture moshelior on 26 Dec 2017
🎉4

Oh excellent @moshelior ! Next week is good, there should be people from the core team who can review your code.

jdubois picture jdubois on 26 Dec 2017
👍2

Is there any developer guide for developing Jhipster (assuming I apply my fixes, how can I test locally...)?
Can you tell me what are the relevant repositories on which I should work?
thank you

moshelior picture moshelior on 1 Jan 2018

@moshelior please look at our https://github.com/jhipster/generator-jhipster/blob/master/CONTRIBUTING.md

deepu105 picture deepu105 on 1 Jan 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pascalgrimaud picture pascalgrimaud  ยท  4Comments
DanielFran picture DanielFran  ยท  3Comments
DanielFran picture DanielFran  ยท  3Comments
frantzynicolas picture frantzynicolas  ยท  3Comments
ahmedeldeeb25 picture ahmedeldeeb25  ยท  3Comments