Skip to content

Commit

Permalink
TRUNK-6228 Protect admin credentials not working if username not set …
Browse files Browse the repository at this point in the history
…to admin fix for tests
  • Loading branch information
rkorytkowski committed Apr 25, 2024
1 parent b4cbe60 commit 97360f6
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -652,7 +652,7 @@ public void changePassword(User user, String oldPassword, String newPassword) th
throw new APIException("new.password.equal.to.old", (Object[]) null);
}

if ("admin".equals(user.getSystemId()) && Boolean.parseBoolean(
if (("admin".equals(user.getSystemId()) || "admin".equals(user.getUsername())) && Boolean.parseBoolean(
Context.getRuntimeProperties().getProperty(ADMIN_PASSWORD_LOCKED_PROPERTY, "false"))) {
throw new APIException("admin.password.is.locked");
}
Expand Down
23 changes: 22 additions & 1 deletion api/src/test/java/org/openmrs/api/UserServiceTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -397,9 +397,11 @@ public void changePassword_shouldBeAbleToUpdatePasswordMultipleTimes() {
@Test
public void changePassword_shouldRespectLockingViaRuntimeProperty() {
assertThat("admin", is(Context.getAuthenticatedUser().getUsername()));
assertTrue(Context.getAuthenticatedUser().isSuperUser());

User u = userService.getUserByUsername(ADMIN_USERNAME);

assertThat(u.getSystemId(), is("admin"));
assertThat(u.getUsername(), is("admin"));

Properties props = Context.getRuntimeProperties();
props.setProperty(UserService.ADMIN_PASSWORD_LOCKED_PROPERTY, "true");
Expand All @@ -421,6 +423,25 @@ public void changePassword_shouldRespectLockingViaRuntimeProperty() {
userService.changePassword(u,"test", "SuperAdmin123");
}

@Test
public void changePassword_shouldRespectLockingViaRuntimePropertyForSystemIdAdminAndNoUsername() {
assertThat("admin", is(Context.getAuthenticatedUser().getUsername()));
assertTrue(Context.getAuthenticatedUser().isSuperUser());

User u = userService.getUserByUsername(ADMIN_USERNAME);

u.setSystemId("admin");
u.setUsername(null);

Properties props = Context.getRuntimeProperties();
props.setProperty(UserService.ADMIN_PASSWORD_LOCKED_PROPERTY, "true");
Context.setRuntimeProperties(props);

APIException apiException = assertThrows(APIException.class, () -> userService.changePassword(u, "test", "SuperAdmin123"));

assertThat(apiException.getMessage(), is("admin.password.is.locked"));
}

@Test
public void saveUser_shouldGrantNewRolesInRolesListToUser() {
// add in some basic properties
Expand Down

0 comments on commit 97360f6

Please sign in to comment.