You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// ChangePasswordByIdentity
// Changes a user's password using their identity (login id and password). Using a loginId instead of the changePasswordId
// bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword
// method.
// ChangePasswordRequest request The change password request that contains all of the information used to change the password.
If I do not pass the current_password in this API, it still changes the user's password without the current password. If I pass something as current_password in the request it does check if it matches the user's current password.
The abnormal behavior happens when nothing is passed as current_password.
Similarly, in the fusionauth dashboard, I can change any User's password without the previous password. Is this behavior intended?
Or are these 2 issues related and pointing to a bigger overall problem with how fusionauth changes passwords.
The text was updated successfully, but these errors were encountered:
This API: https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Client.go#L290 has the functionality to:
// ChangePasswordByIdentity
// Changes a user's password using their identity (login id and password). Using a loginId instead of the changePasswordId
// bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword
// method.
// ChangePasswordRequest request The change password request that contains all of the information used to change the password.
If I do not pass the current_password in this API, it still changes the user's password without the current password. If I pass something as current_password in the request it does check if it matches the user's current password.
The abnormal behavior happens when nothing is passed as current_password.
Similarly, in the fusionauth dashboard, I can change any User's password without the previous password. Is this behavior intended?
Or are these 2 issues related and pointing to a bigger overall problem with how fusionauth changes passwords.
The text was updated successfully, but these errors were encountered: