Adrian_Santamaria | 2021-05-20 09:45:07 UTC | #1
Hello
Currently, the Directory > User > setPassword permission is not Division Aware.
That means that a user with that permission can change any other user's password, no matter it's division, if he/she knows the target userId, using the POST /api/v2/users/{userId}/password endpoint.
We think this a potential security risk, as the userIds are not very hard to guess, specially admin's (for example, with the fields "modifiedBy" or "createdBy" that many requests include, as they usually are admins).
I've opened an Idea requesting that permission to be Division Aware, but I'd like to confirm it here too.
Thanks!
Becky_Powell | 2021-05-20 13:32:01 UTC | #2
Hi Adrian, I can confirm that this permission is not division-aware - yet. I've looked at your idea in the Ideas Portal and am discussing with our dev team. Thank you for raising this!
-Becky Powell Director, Product Management
Adrian_Santamaria | 2021-05-27 08:38:46 UTC | #3
Hello Becky
Are there any updates about this?
Thanks
Adrian_Santamaria | 2021-06-03 17:17:35 UTC | #4
Sorry for asking again, but aren't there any updates?
system | 2021-07-04 17:17:36 UTC | #5
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 10979