Admin can not change any user's password

Developing with Concrete
1

When I change any user’s password as admin, the error message “Your password is invalid.” is always returned.

I have checked the codes and discovered the cause at line 35 in /concrete/controllers/single_page/dashboard/users/search.php .

if ($this->canEditPassword && !empty($this->request->request->get('uPasswordNew'))) {
                $passwordMine = (string) $this->request->request->get('uPasswordMine');
                $passwordNew = $this->request->request->get('uPasswordNew');
                $passwordNewConfirm = $this->request->request->get('uPasswordNewConfirm');

                $this->app->make('validator/password')->isValidFor($passwordNew, $this->user, $error);
                if ($passwordNew) {
                    // maybe here
                    $me = $this->app->make(User::class)->getUserInfoObject();
                    // \Log::debug($me->getUserName()) => admin
                    if (!$me->passwordMatches($passwordMine)) {
                        $error->add(t('Your password is invalid.'));
                    }
                    if ($passwordNew != $passwordNewConfirm) {
                        $error->add(t('The two passwords provided do not match.'));
                    }
                }
                $data['uPasswordConfirm'] = $passwordNew;
                $data['uPassword'] = $passwordNew;
            }

The below code gets the admin’s ( current user’s) object, not the target user who password is changed.

$me = $this->app->make(User::class)->getUserInfoObject();

As a test, I changed the code as below. Changing the user’s password worked correctly.

$me = $this->user;

Concrete 9.1.3
PHP 7.4

2

The password change dialog in the Dashboard has confused a lot of people - it requires you to first enter your administrator password, then the new password you want to set for the user. A lot of people interpret it as having to enter the user’s current password.

1 Like
3

Commonly, password change UI expects the user’s current password, a new password, and confirmation.

I couldn’t understand why the admin must enter the user’s current password in password change dialog. The meaning of “Your” in “Your Current Password” is “admin”, I see.

Label of “Your Current Password” should be “Admin’s Password” in the dialog.