Prevent admin from invalidating their own password

I don't think an admin would ever want to reset and invalidate their own password rather than changing their password. If they did invalidate their password, their sessions would be deleted, including their current session. That would lead to the issue described in #705.
getodk · Jan 22, 2023 · bd588b9 · bd588b9
1 parent 242dddf
commit bd588b9
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 7 deletions.
diff --git a/src/components/user/row.vue b/src/components/user/row.vue
@@ -46,8 +46,9 @@ except according to the terms contained in the LICENSE file.
               {{ $t('action.editProfile') }}
             </router-link>
           </li>
-          <li>
+          <li :class="{ disabled }">
             <a class="reset-password" href="#"
+              v-tooltip.aria-describedby="disabled ? $t('cannotResetPassword') : null"
               @click.prevent="$emit('reset-password', user)">
               {{ $t('action.resetPassword') }}&hellip;
             </a>
@@ -158,6 +159,9 @@ export default {
     "field": {
       "sitewideRole": "Sitewide Role"
     },
+    // An Administrator may reset the password for another Web User, but not for
+    // their own account.
+    "cannotResetPassword": "You may not reset your own password on this page. To change your password, edit your profile.",
     // An Administrator may retire other Web Users, but not their own account.
     "cannotRetire": "You may not retire yourself.",
     "action": {

diff --git a/test/components/user/reset-password.spec.js b/test/components/user/reset-password.spec.js
@@ -13,12 +13,22 @@ describe('UserResetPassword', () => {
     mockLogin({ email: 'alice@getodk.org', displayName: 'Alice' });
   });
 
-  it('toggles the modal', () =>
-    load('/users', { root: false }).testModalToggles({
-      modal: UserResetPassword,
-      show: '.user-row .reset-password',
-      hide: '.btn-link'
-    }));
+  describe('reset password button', () => {
+    it('toggles the modal', () =>
+      load('/users', { root: false }).testModalToggles({
+        modal: UserResetPassword,
+        show: '.user-row .reset-password',
+        hide: '.btn-link'
+      }));
+
+    it('is disabled for the current user', async () => {
+      const component = await load('/users', { root: false });
+      const a = component.get('.user-row .reset-password');
+      a.element.parentNode.classList.contains('disabled').should.be.true();
+      a.should.have.ariaDescription(/^You may not reset your own password/);
+      await a.should.have.tooltip();
+    });
+  });
 
   it('sends the correct request', () =>
     mockHttp()

diff --git a/transifex/strings_en.json b/transifex/strings_en.json
@@ -3852,6 +3852,10 @@
           "developer_comment": "This is the text of a form field."
         }
       },
+      "cannotResetPassword": {
+        "string": "You may not reset your own password on this page. To change your password, edit your profile.",
+        "developer_comment": "An Administrator may reset the password for another Web User, but not for their own account."
+      },
       "cannotRetire": {
         "string": "You may not retire yourself.",
         "developer_comment": "An Administrator may retire other Web Users, but not their own account."