Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable mustChangePassword check for impersonated access tokens #7006

Merged
merged 4 commits into from
May 21, 2024
Merged

Disable mustChangePassword check for impersonated access tokens #7006

merged 4 commits into from
May 21, 2024

Conversation

gevorgmansuryan
Copy link
Contributor

@gevorgmansuryan gevorgmansuryan self-assigned this May 17, 2024
luke-
luke- requested changes May 17, 2024
View reviewed changes
Copy link
Contributor

@luke- luke- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gevorgmansuryan Thank you for the PR.

Generally, no pure module-specific code should be added to the core.

Couldn't it be solved more independently, e.g. with a new “setImpersonator” method. This could also be used by the core itself.

@ArchBlood
Copy link
Contributor

@luke- why not do something like this in the rest module itself?

use yii\base\Security;

public function actionImpersonate()
{
    if (!Yii::$app->user->isAdmin()) {
        throw new ForbiddenHttpException();
    }

    $userId = Yii::$app->request->getBodyParam('userId');
    $user = User::findOne(['id' => $userId]);

    if ($user === null) {
        throw new NotFoundHttpException();
    }

    // Check if the user must change password
    if ($user->mustChangePassword) {
        // Generate a random password
        $security = new Security();
        $defaultPassword = $security->generateRandomString(16, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'); // Use both letters and numbers, increase length to 16
        
        // Hash the password
        $passwordHash = Yii::$app->security->generatePasswordHash($defaultPassword);

        // Set the hashed password
        $user->password = $passwordHash;

        // Update the user's mustChangePassword attribute
        $user->mustChangePassword = false;
        if (!$user->save()) {
            // Handle errors if necessary
            throw new ErrorException("Failed to update user's mustChangePassword attribute.");
        }
    }

    // Delete any existing impersonation token for the user
    if ($token = ImpersonateAuthToken::findOne(['user_id' => $user->id])) {
        $token->delete();
    }

    // Create a new impersonation token
    $token = new ImpersonateAuthToken();
    $token->user_id = $user->id;
    $token->save();

    return [
        'token' => $token->token,
        'expires' => $token->expiration,
    ];
}

@luke-
Copy link
Contributor

luke- commented May 21, 2024

@ArchBlood Hmm, I don't know if we should really just automatically set a random password for the affected users.

@luke- luke- added this pull request to the merge queue May 21, 2024
Merged via the queue into develop with commit 5340923 May 21, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luke- luke- luke- approved these changes

Assignees

@gevorgmansuryan gevorgmansuryan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gevorgmansuryan @ArchBlood @luke-