0026885: Resetting password for protected user via REST API should fail - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0026885	mantisbt	api rest	public	2020-04-15 20:10	2020-05-03 04:34

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.24.0
Target Version	2.24.1	Fixed in Version	2.24.1

Summary	0026885: Resetting password for protected user via REST API should fail
Description	Issue 0026632 introduced a new REST API endpoint to reset a user's password. Attempting to reset a protected user's password results in an HTTP 204 No Content, but in fact the operation failed (password was not reset). The API should inform caller of the failure, e.g. by returning a 4xx status.
Steps To Reproduce	Create a protected user Login as that user Reset the protected user's password with REST API `$ curl --location --header 'Authorization: API_TOKEN_FOR_ADMIN_USER' -w "%{http_code}\n" --request PUT 'http://example.com/mantis/api/rest/users/PROTECTED_USER_ID/reset' 204` Login as the user again -> the password is still the same
Tags	No tags attached.

MantisBT: master-2.24 6210c647 2020-04-15 16:13 dregad Details Diff	REST API password reset for protected user now fails The endpoint now returns a 403 status code if the user is protected. Fixes 0026885	Affected Issues 0026885
	mod - api/rest/restcore/users_rest.php	Diff File
MantisBT: master-2.24 0d5a7397 2020-05-02 07:48 dregad Details Diff	UserResetPassword Command fixes Merge PR https://github.com/mantisbt/mantisbt/pull/1655 Fixes 0026880, 0026885 See issue 0026632	Affected Issues 0026632, 0026880, 0026885
	mod - api/rest/restcore/users_rest.php	Diff File
	mod - core/commands/UserResetPasswordCommand.php	Diff File
	mod - core/user_api.php	Diff File
	mod - manage_user_reset.php	Diff File

dregad 2020-04-18 07:09 developer ~0063848	PR https://github.com/mantisbt/mantisbt/pull/1655