Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Issue: saml users can't change password in Drupal, despite $config->get('allow.set_drupal_pwd') is TRUE.
Expected: saml users should be able to change password without knowing their current Drupal password.
More detail:
In simplesamlphp_auth_form_user_form_alter, If $saml_enabled == TRUE, there is code to set the current_pass field #Access set to false, with a message that they aren't required to know their Drupal password.
// If the user has a simplesamlphp_auth authmap record, then don't require
// them to know their Drupal password. This will allow them to change their
// e-mail address, and set a Drupal password if they want to
// (and are allowed).
$account = $form_state->getFormObject()->getEntity();
$saml_enabled = $authmap->get($account->id(), 'simplesamlphp_auth');
if ($saml_enabled) {
$form['simplesamlphp_auth_user_enable']['#default_value'] = TRUE;
$form['account']['current_pass']['#access'] = FALSE;
But this doesn't work currently.
There's an error from ProtectedUserFieldConstraint "Your current password is missing or incorrect; it's required to change the password.".
Comment | File | Size | Author |
---|---|---|---|
#14 | simplesamlphp_auth-change_password_and_e-mail-2968598-14.patch | 797 bytes | pdenooijer |
| |||
#2 | simplesamlphp_auth-change-password-access-2968598-2.patch | 684 bytes | oknate |
cant change password.png | 102.81 KB | oknate |
Comments
Comment #2
oknateThere's a constraint now on user entity's "pass" and "mail" fields "ProtectedUserField".
I found some code in Account::buildEntity where you can skip this validation on the user reset form.
We can use this to allow users to skip having to add their existing password. See ProtectedUserFieldConstraintValidator (it skips validation if _skipProtectedUserFieldConstraint set to TRUE).
This should allow users to change their local password or email.
Comment #3
oknateComment #4
oknateComment #5
oknateComment #6
oknateComment #7
oknateComment #8
oknateComment #9
mukila CreditAttribution: mukila commentedApplied patch #2 and it is working fine.
Comment #10
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedPatch #2 working fine for me.
Please commit it.
Comment #11
swirtConfirmed: Patch #2 works for me too.
Comment #12
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedSeems a bit like a hack, but I understand why this is done this way. RTBC +1
Comment #13
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedThe current patch has security implications, as you don't need the current password any more to change the accounts password. Will create a patch to enable the current password again. This will allow users that have know their old password, to change their own password and e-mail.
Comment #14
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedWith this patch someone can reset his password though the mail and then use that current password to update his settings again. There is no need to disable the current password when your allowed to change it.
Comment #15
pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commentedComment #16
paul_leclerc CreditAttribution: paul_leclerc commentedPatch #14 works for me.
Comment #17
BerdirYes, #14 makes sense, #2 is indeed insecure.
Comment #20
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedI opened a follow-up issue #3112380: Users with simplesaml_auth don't know their passwords after the registration to find a better user experience practice.
Comment #21
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedPlease check the patch in #3112380-4: Users with simplesaml_auth don't know their passwords after the registration which has a better user experience.