Patch to allow admins to set passwords for new users when mixing SSO & local users

GreenJimll · June 4, 2018, 10:54am

We have most of our users authenticated using SSO (Shibboleth SP on the local Apache server) but we’ve a requirement to have a smaller number of users who don’t exist in our ActiveDirectory have accounts in RT. One issue with this is being able to allow admins and these users to set and reset their password. We found we need a small patch to RT/Users.pm - here’s a context diff of the changes we made.

*** User.pm	2018-06-04 11:31:21.233468043 +0100
--- /opt/rt4/lib/RT/User.pm	2017-11-22 20:13:24.243774588 +0000
***************
*** 1168,1179 ****
      ) {
          $res{'CanSet'} = 0;
          $res{'Reason'} = $self->loc("External authentication enabled.");
!     } elsif ( !$self->HasPassword ) {
          if ( $self->CurrentUser->id == ($self->id||0) ) {
              # don't require current password if user has no
              $res{'RequireCurrent'} = 0;
- 	} elsif($self->CurrentUser->CurrentUserCanModify()) {
-             $res{'RequireCurrent'} = 0;
          } else {
              $res{'CanSet'} = 0;
              $res{'Reason'} = $self->loc("Your password is not set.");
--- 1168,1177 ----
      ) {
          $res{'CanSet'} = 0;
          $res{'Reason'} = $self->loc("External authentication enabled.");
!     } elsif ( !$self->CurrentUser->HasPassword ) {
          if ( $self->CurrentUser->id == ($self->id||0) ) {
              # don't require current password if user has no
              $res{'RequireCurrent'} = 0;
          } else {
              $res{'CanSet'} = 0;
              $res{'Reason'} = $self->loc("Your password is not set.");

Can anyone see any issues with this idea? It seems to behave sensibly for us on our test installation of RT.

Jim_Brandt · June 6, 2018, 9:29pm

What version of RT is this change on? I’m assuming you have $WebFallbackToRTLogin set?

G.Booth · June 7, 2018, 6:37am

Hi Jim

We’re using 4.4.2 and yes, $WebFallbackToRTLogin is set

regards
Garry
(In GreenJimll’s absence)

Petr_Hanousek · November 25, 2020, 12:28pm

This is slightly rewritten in version 4.4.4 which I use currently but still it doesn’t work as expected for me. New patch I suggest to apply now is here.


--- a/local/lib/RT/User.pm    2019-11-19 16:50:10.000000000 +0100
+++ b/local/lib/RT/User.pm.patched     2020-11-25 13:21:46.348623339 +0100
@@ -1272,8 +1272,8 @@
         $res{'CanSet'} = 0;
         $res{'Reason'} = $self->loc("External authentication enabled.");
     } elsif ( !$self->CurrentUser->HasPassword ) {
-        if ( $self->CurrentUser->id == ($self->id||0) ) {
-            # don't require current password if user has no
+        if ( $self->CurrentUser->PrincipalObj->HasRight(Right => 'SuperUser', Object => $RT::System) ) {
+            # don't require current password if user is SuperUser
             $res{'RequireCurrent'} = 0;
         } else {
             $res{'CanSet'} = 0;