From bd588b9d769e2dab43f74eaee8261013d083683e Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 22 Jan 2023 18:06:10 -0500 Subject: [PATCH] Prevent admin from invalidating their own password I don't think an admin would ever want to reset and invalidate their own password rather than changing their password. If they did invalidate their password, their sessions would be deleted, including their current session. That would lead to the issue described in #705. --- src/components/user/row.vue | 6 +++++- test/components/user/reset-password.spec.js | 22 +++++++++++++++------ transifex/strings_en.json | 4 ++++ 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/src/components/user/row.vue b/src/components/user/row.vue index aa54c4ce7..ec3b5f5f9 100644 --- a/src/components/user/row.vue +++ b/src/components/user/row.vue @@ -46,8 +46,9 @@ except according to the terms contained in the LICENSE file. {{ $t('action.editProfile') }} -
  • +
  • {{ $t('action.resetPassword') }}… @@ -158,6 +159,9 @@ export default { "field": { "sitewideRole": "Sitewide Role" }, + // An Administrator may reset the password for another Web User, but not for + // their own account. + "cannotResetPassword": "You may not reset your own password on this page. To change your password, edit your profile.", // An Administrator may retire other Web Users, but not their own account. "cannotRetire": "You may not retire yourself.", "action": { diff --git a/test/components/user/reset-password.spec.js b/test/components/user/reset-password.spec.js index ccbb57182..02c28628c 100644 --- a/test/components/user/reset-password.spec.js +++ b/test/components/user/reset-password.spec.js @@ -13,12 +13,22 @@ describe('UserResetPassword', () => { mockLogin({ email: 'alice@getodk.org', displayName: 'Alice' }); }); - it('toggles the modal', () => - load('/users', { root: false }).testModalToggles({ - modal: UserResetPassword, - show: '.user-row .reset-password', - hide: '.btn-link' - })); + describe('reset password button', () => { + it('toggles the modal', () => + load('/users', { root: false }).testModalToggles({ + modal: UserResetPassword, + show: '.user-row .reset-password', + hide: '.btn-link' + })); + + it('is disabled for the current user', async () => { + const component = await load('/users', { root: false }); + const a = component.get('.user-row .reset-password'); + a.element.parentNode.classList.contains('disabled').should.be.true(); + a.should.have.ariaDescription(/^You may not reset your own password/); + await a.should.have.tooltip(); + }); + }); it('sends the correct request', () => mockHttp() diff --git a/transifex/strings_en.json b/transifex/strings_en.json index eed2b0492..6782988d2 100644 --- a/transifex/strings_en.json +++ b/transifex/strings_en.json @@ -3852,6 +3852,10 @@ "developer_comment": "This is the text of a form field." } }, + "cannotResetPassword": { + "string": "You may not reset your own password on this page. To change your password, edit your profile.", + "developer_comment": "An Administrator may reset the password for another Web User, but not for their own account." + }, "cannotRetire": { "string": "You may not retire yourself.", "developer_comment": "An Administrator may retire other Web Users, but not their own account."