Patch to allow admins to set passwords for new users when mixing SSO & local users

We have most of our users authenticated using SSO (Shibboleth SP on the local Apache server) but we’ve a requirement to have a smaller number of users who don’t exist in our ActiveDirectory have accounts in RT. One issue with this is being able to allow admins and these users to set and reset their password. We found we need a small patch to RT/Users.pm - here’s a context diff of the changes we made.

*** User.pm	2018-06-04 11:31:21.233468043 +0100
--- /opt/rt4/lib/RT/User.pm	2017-11-22 20:13:24.243774588 +0000
***************
*** 1168,1179 ****
      ) {
          $res{'CanSet'} = 0;
          $res{'Reason'} = $self->loc("External authentication enabled.");
!     } elsif ( !$self->HasPassword ) {
          if ( $self->CurrentUser->id == ($self->id||0) ) {
              # don't require current password if user has no
              $res{'RequireCurrent'} = 0;
- 	} elsif($self->CurrentUser->CurrentUserCanModify()) {
-             $res{'RequireCurrent'} = 0;
          } else {
              $res{'CanSet'} = 0;
              $res{'Reason'} = $self->loc("Your password is not set.");
--- 1168,1177 ----
      ) {
          $res{'CanSet'} = 0;
          $res{'Reason'} = $self->loc("External authentication enabled.");
!     } elsif ( !$self->CurrentUser->HasPassword ) {
          if ( $self->CurrentUser->id == ($self->id||0) ) {
              # don't require current password if user has no
              $res{'RequireCurrent'} = 0;
          } else {
              $res{'CanSet'} = 0;
              $res{'Reason'} = $self->loc("Your password is not set.");

Can anyone see any issues with this idea? It seems to behave sensibly for us on our test installation of RT.

3 Likes

What version of RT is this change on? I’m assuming you have $WebFallbackToRTLogin set?

Hi Jim

We’re using 4.4.2 and yes, $WebFallbackToRTLogin is set

regards
Garry
(In GreenJimll’s absence)