Skip to content

[Improvement-18383][API] Disable create user, reset password, and username edit in non-PASSWORD auth modes#18384

Open
njnu-seafish wants to merge 9 commits into
apache:devfrom
njnu-seafish:Improvement-18383
Open

[Improvement-18383][API] Disable create user, reset password, and username edit in non-PASSWORD auth modes#18384
njnu-seafish wants to merge 9 commits into
apache:devfrom
njnu-seafish:Improvement-18383

Conversation

@njnu-seafish

Copy link
Copy Markdown
Contributor

Was this PR generated or assisted by AI?

YES. Use AI to find and modify the code, then test and verify it locally.

Purpose of the pull request

close #18383

Brief change log

Disable create user, reset password, and username edit in non-PASSWORD auth modes

Verify this pull request

This pull request is code cleanup without any test coverage.

(or)

This pull request is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(or)

Pull Request Notice

Pull Request Notice

If your pull request contains incompatible change, you should also add it to docs/docs/en/guide/upgrade/incompatible.md

@njnu-seafish njnu-seafish requested a review from SbloodyS as a code owner June 25, 2026 12:34
@github-actions github-actions Bot added the UI ui and front end related label Jun 25, 2026
@njnu-seafish

Copy link
Copy Markdown
Contributor Author

Do we also need to add a check for the PASSWORD authentication type in the backend controllers? If the authentication mode is non-PASSWORD, the backend should not allow operations such as user creation and password modification.

@SbloodyS SbloodyS added the improvement make more easy to user or prompt friendly label Jun 26, 2026
@SbloodyS SbloodyS added this to the 3.5.0 milestone Jun 26, 2026
@SbloodyS

Copy link
Copy Markdown
Member

Do we also need to add a check for the PASSWORD authentication type in the backend controllers? If the authentication mode is non-PASSWORD, the backend should not allow operations such as user creation and password modification.

Yes. Both front-end and back-end need to be modified, please submit it in this PR.

@SbloodyS SbloodyS changed the title [Improvement-18383][API]Disable create user, reset password, and username edit in non-PASSWORD auth modes [Improvement-18383][API] Disable create user, reset password, and username edit in non-PASSWORD auth modes Jun 29, 2026

@SbloodyS SbloodyS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The frontend checks added in this PR rely on userStore.getSecurityConfigType, but the OAuth2/OIDC redirect path only stores the session and userInfo. Because the user store is persisted, a browser that previously logged in with PASSWORD can keep a stale securityConfigType === 'PASSWORD', so OIDC/OAuth2 users may still see enabled create/reset/password UI. The redirect login path should also populate the current security config type before entering the app.

if (StringUtils.isNotEmpty(userName)) {

if (isNotPasswordAuthenticationMode()) {
throw new ServiceException(Status.OPERATION_NOT_ALLOWED_IN_NON_PASSWORD_MODE);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rejects unchanged usernames too. Normal non-credential edits such as email/phone/tenant/state now fail in LDAP/OIDC/SSO mode.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rejects unchanged usernames too. Normal non-credential edits such as email/phone/tenant/state now fail in LDAP/OIDC/SSO mode.

Very thorough.

@github-actions github-actions Bot added the test label Jun 29, 2026
@njnu-seafish

Copy link
Copy Markdown
Contributor Author

The frontend checks added in this PR rely on userStore.getSecurityConfigType, but the OAuth2/OIDC redirect path only stores the session and userInfo. Because the user store is persisted, a browser that previously logged in with PASSWORD can keep a stale securityConfigType === 'PASSWORD', so OIDC/OAuth2 users may still see enabled create/reset/password UI. The redirect login path should also populate the current security config type before entering the app.

The level of thoroughness in this review is outstanding. Really impressive work! Your review is very thorough.

@njnu-seafish njnu-seafish requested a review from SbloodyS June 30, 2026 01:44

@SbloodyS SbloodyS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR marks OAuth2 redirect logins as securityConfigType=OAUTH2 on the frontend, but the backend guard in UsersServiceImpl checks only security.authentication.type. OAuth2 is enabled separately and can be used together with PASSWORD, so in that common setup the UI disables create/reset/edit-password, but /users/create, /users/update, and /users/register still pass the backend guard because security.authentication.type remains PASSWORD.

@njnu-seafish

Copy link
Copy Markdown
Contributor Author

The PR marks OAuth2 redirect logins as securityConfigType=OAUTH2 on the frontend, but the backend guard in UsersServiceImpl checks only security.authentication.type. OAuth2 is enabled separately and can be used together with PASSWORD, so in that common setup the UI disables create/reset/edit-password, but /users/create, /users/update, and /users/register still pass the backend guard because security.authentication.type remains PASSWORD.

ok, add logic to reject password-managed user operations when OAuth2 is enabled.

@njnu-seafish njnu-seafish requested a review from SbloodyS June 30, 2026 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend improvement make more easy to user or prompt friendly test UI ui and front end related

Projects

None yet

2 participants