yahoo-eng-team team mailing list archive

[Vishakha Agarwal <1860252@xxxxxxxxxxxxxxxxxx>]

I strongly agree over the Gage's view that User A and User B shouldn't
be sharing their password each other. The bugs seems invalid since this
should not happen in real world.

** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1860252

Title:
  security problem，one user can change other user's password without
  admin

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  i create user A and B, and do not bind any project or domain,use A to
  create a token without scope, then i use this token can change B's
  password use B's user_id and origin_password

  i notice that this patch https://review.opendev.org/#/c/404022/25
  delete @controller.protected(),code like this

      # NOTE(gagehugo): We do not need this to be @protected.
      # A user is already expected to know their password in order
      # to change it, and can be authenticated as such.
      def change_password(self, request, user_id, user):
          original_password = user.get('original_password')
          if original_password is None:
              raise exception.ValidationError(target='user',
                                              attribute='original_password')

  but is this safety? i use m version and merged the pci-dss feature,is
  this fixed in other versions?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1860252/+subscriptions