Ghost: As an admin I'm unable to change the password of a different user

Created on 28 Jan 2019 · 9Comments · Source: TryGhost/Ghost

Issue Summary

When logged in as an Administrator or Owner and viewing other users there is a form to change their password. This has stopped working, it now shows this error when submitting the form:

Validation (FieldIsRequired) failed for ["oldPassword"]

To Reproduce

Ensure your site has more than 1 user
Log in as the Administrator/Owner account
Open another user via the Team screen
Fill in the change password form and submit
Note the error message

Administrators/Owners used to be allowed to send PUT /users/password/ requests without the oldPassword field being present.

Technical details:

Ghost Version: 2.12.0
Database: MySQL

bug help wanted server / core

Source

kevinansfield

👍5

All 9 comments

I'd like to take a stab at this if that's ok?

jxhn on 29 Jan 2019

❤1

The logic for this exists in the user model (see changePassword), but the API requires you to put the old password, even though it's not used if you change a password from a different user.

The required fields need to be conditional.

@jomahoney Yes sure :)

kirrg001 on 30 Jan 2019

Sorry for the delay, just got hyper busy.

The logic for this exists in the user model (see changePassword), but the API requires you to put the old password, even though it's not used if you change a password from a different user.

The required fields need to be conditional.

So just to get this straight. I should be able to change the required-ness on the API side by switching this line to false.

Then I shouldn't have to change anything in changePassword() because of the isLoggedInUser being bypassed on account of it being an admin, therefore the oldPassword never gets used?

jxhn on 20 Feb 2019

@jomahoney

Administrators/Owners used to be allowed to send PUT /users/password/ requests without the oldPassword field being present.

It needs to be conditional in the API layer. It depends on the role or on the logged in user.

Then I shouldn't have to change anything in changePassword()

Yeah 👍

kirrg001 on 20 Feb 2019

I'm really sorry about the delay in this but I've been trying to get setup but for some reason ember build just never finishes once executing the yarn setup task.

I can still do this but my have to figure out what the yarn issue is first. (I've tried a decent amount of different things so far)

jxhn on 15 Mar 2019

@jxhn if you're having trouble getting a development env set up could you ask on the forum? Post any details about errors you're seeing, what commands you've run, and so on, we'll try and help you out and fix/improve the tools or docs if needed 🙂

kevinansfield on 15 Mar 2019

👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 26 Jun 2019

This is still a problem. I get the same error on each of my sites. Any progress or ideas in solving this issue?

wanderingduck on 27 Jun 2019

@wanderingduck No progress as of yet, but we'd love a PR for it! The current idea for solving the solution is to remove the oldPassword as a required option at the API level :relaxed: