TRUNK-6187: Protect admin credentials with runtime property (#4413)

* TRUNK-6187: Protect admin credentials with runtime property add "changePassword" User Service API function back in * TRUNK-6187: Protect admin credentials with runtime property add "changePassword" User Service API function back in
openmrs · Oct 17, 2023 · ebde188 · ebde188
1 parent 7efc24b
commit ebde188
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 12 deletions.
diff --git a/api/src/main/java/org/openmrs/api/UserService.java b/api/src/main/java/org/openmrs/api/UserService.java
@@ -331,6 +331,17 @@ public interface UserService extends OpenmrsService {
 	 */
 	@Logging(ignoredArgumentIndexes = { 0, 1 })
 	public void changePassword(String oldPassword, String newPassword) throws APIException;
+
+	/**
+	 * Changes password of {@link User} passed in
+	 * @param user user whose password is to be changed
+	 * @param newPassword new password to set
+	 * @throws APIException
+	 * <strong>Should</strong> update password of given user when logged in user has edit users password privilege
+	 * <strong>Should</strong> not update password of given user when logged in user does not have edit users password privilege
+	 */
+	@Authorized({PrivilegeConstants.EDIT_USER_PASSWORDS})
+	public void changePassword(User user, String newPassword) throws APIException;
 
 	/**
 	 * Changes the current user's password directly. This is most useful if migrating users from

diff --git a/api/src/main/java/org/openmrs/api/impl/UserServiceImpl.java b/api/src/main/java/org/openmrs/api/impl/UserServiceImpl.java
@@ -660,19 +660,8 @@ public void changePassword(User user, String oldPassword, String newPassword) th
 		updatePassword(user, newPassword);
 	}
 
-	/**
-	 * This is for internal use only. DO NOT CALL THIS METHOD.
-	 * 
-	 * @param user The user's password to change
-	 * @param newPassword The password to change it to
-	 */
-	@Authorized(PrivilegeConstants.EDIT_USER_PASSWORDS)
+	@Override
 	public void changePassword(User user, String newPassword) {
-		if (!Daemon.isDaemonThread() || !Context.getUserContext().getAuthenticatedUser().isSuperUser()) {
-			throw new APIAuthenticationException(Context.getMessageSourceService().getMessage("error.privilegesRequired",
-				new Object[] { "System Developer" }, Context.getLocale()));
-		}
-
 		updatePassword(user, newPassword);
 	}