Prevent impersonation of users with expired passwords
What does this MR do and why?
- If you impersonate into an expired account, various things are not visible
- An admin can reset a user's password if they need to, this change requires them to update an expired password before impersonating the user
- Fixes #332667 (closed)
Screenshots or screen recordings
Screen_Recording_2022-11-04_at_1.24.16_PM
How to set up and validate locally
- Ensure there is a user with an expired password (
User.last.update!(password_expires_at: 1.day.ago
) - Log in as an instance admin
- Visit http://localhost:3000/admin/users and click on the user's name
- On the user page, click the "Impersonate" button
- You should see an error message "You cannot impersonate a user with an expired password" and an impersonation session should not be started
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jessie Young