Skip to content

Prevent impersonation of users with expired passwords

Jessie Young requested to merge jy-block-admins-from-impersonating-expired-accounts into master

What does this MR do and why?

  • If you impersonate into an expired account, various things are not visible
  • An admin can reset a user's password if they need to, this change requires them to update an expired password before impersonating the user
  • Fixes #332667 (closed)

Screenshots or screen recordings

Screen_Recording_2022-11-04_at_1.24.16_PM

How to set up and validate locally

  1. Ensure there is a user with an expired password (User.last.update!(password_expires_at: 1.day.ago)
  2. Log in as an instance admin
  3. Visit http://localhost:3000/admin/users and click on the user's name
  4. On the user page, click the "Impersonate" button
  5. You should see an error message "You cannot impersonate a user with an expired password" and an impersonation session should not be started

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jessie Young

Merge request reports