RESTWS-885: Reset password REST endpoint requires privileges

omod-2.2/src/main/java/org/openmrs/module/webservices/rest/web/v1_0/controller/openmrs2_2/PasswordResetController2_2.java

@@ -15,9 +15,11 @@
 import org.openmrs.api.InvalidActivationKeyException;
 import org.openmrs.api.UserService;
 import org.openmrs.api.ValidationException;
+import org.openmrs.api.context.Context;
 import org.openmrs.module.webservices.rest.web.RestConstants;
 import org.openmrs.module.webservices.rest.web.v1_0.controller.BaseRestController;
 import org.openmrs.notification.MessageException;
+import org.openmrs.util.PrivilegeConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.http.HttpStatus;
@@ -40,9 +42,15 @@ public class PasswordResetController2_2 extends BaseRestController {
 	@ResponseStatus(HttpStatus.OK)
 	public void requestPasswordReset(@RequestBody Map<String, String> body) throws MessageException {
 		String usernameOrEmail = body.get("usernameOrEmail");
-		User user = userService.getUserByUsernameOrEmail(usernameOrEmail);
-		if (user != null) {
-			userService.setUserActivationKey(user);
+		try {
+			Context.addProxyPrivilege(PrivilegeConstants.GET_USERS);
+			User user = userService.getUserByUsernameOrEmail(usernameOrEmail);
+			if (user != null) {
+				userService.setUserActivationKey(user);
+			}
+		}
+		finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_USERS);
 		}
 	}
 

omod-2.2/src/test/java/org/openmrs/module/webservices/rest/web/v1_0/controller/openmrs2_2/PasswordResetController2_2Test.java

@@ -68,6 +68,39 @@ public void requestPasswordReset_shouldCreateUserActivationKeyGivenEmail() throw
 		handle(newPostRequest(RESET_PASSWORD_URI, "{\"usernameOrEmail\":\"" + user.getEmail() + "\"}"));
 		assertNotNull(dao.getLoginCredential(user).getActivationKey());
 	}
+
+	@Test
+	public void requestPasswordReset_shouldCreateUserActivationKeyWhenUnauthenticatedWithValidEmail() throws Exception {
+		User user = setUpUser("butch");
+		user.setEmail("[email protected]");
+		assertNull(dao.getLoginCredential(user).getActivationKey());
+		assertNotNull(user.getEmail());
+
+		MessageException exception = null;
+		try {
+			handle(newPostRequest(RESET_PASSWORD_URI, "{\"usernameOrEmail\":\"" + user.getEmail() + "\"}"));
+		} catch (MessageException me) {
+			exception = me;
+		}
+		assertNotNull(exception);
+		assertNotNull(dao.getLoginCredential(user).getActivationKey());
+	}
+
+	@Test
+	public void requestPasswordReset_shouldCreateUserActivationKeyWhenUnauthenticatedWithValidUsername() throws Exception {
+		User user = setUpUser("butch");
+		assertNull(dao.getLoginCredential(user).getActivationKey());
+		assertNotNull(user.getUsername());
+
+		MessageException exception2 = null;
+		try {
+			handle(newPostRequest(RESET_PASSWORD_URI, "{\"usernameOrEmail\":\"" + user.getUsername() + "\"}"));
+		} catch (MessageException me) {
+			exception2 = me;
+		}
+		assertNotNull(exception2);
+		assertNotNull(dao.getLoginCredential(user).getActivationKey());
+	}
 
 	@Test
 	public void resetPassword_shouldResetUserPasswordIfActivationKeyIsCorrect() throws Exception {
@@ -87,4 +120,17 @@ public void resetPassword_shouldResetUserPasswordIfActivationKeyIsCorrect() thro
 		Context.authenticate(user.getUsername(), newPassword);
 
 	}
+
+	private User setUpUser(String userName) throws Exception {
+		User user = userService.getUserByUsername(userName);
+		final String newPassword = "SomeOtherPassword123";
+
+		userService.changePassword(user, newPassword);
+
+		// Logout Admin User with Privileges
+		Context.logout();
+
+		Context.authenticate(userName, newPassword);
+		return Context.getAuthenticatedUser();
+	}
 }