[Feature Request]: Ability to prevent user password changes #15014
Comments
|
I think this would really be handled already by turning on the LDAP Sync. If you don't have LDAP enabled, it should hide all of the password interfaces. 
(It's just phrased a little awkwardly.) |
We don't use LDAP at all and can see the password pages and buttons. We use SAML and SCIM. |
Following up on this. So if I'm using SAML and SCIM, and not using LDAP at all, should users not be seeing the change-password buttons? |
|
Hi @snipe just looking at this again. Should I not see password-change buttons when using SAML? |
|
Is there any updated with this problem? |
|
@designatedsuccessor did you find a way to do this? |
No I did not. I don't think the Snipe-IT people even really understand the issue despite repeated attempts to educate so we gave up. Typical enshittification. |
|
I foud I way to do it but in MariaDb , Are you using a db?? |
|
Hi! If I understand correctly, reading #15014 (comment) this would mean that: I'm on 7.0.10, which is newer than the referred introduction of disabling this. I have disabled profile edits, and indeed, the buttons to edit profiles are gone, but referring to passwords, users logging in still see the options to change password: Can you please have another look at this? Thanks! |
|
The Snipe people don't seem to know that LDAP is an old, decrepit protocol that no self-respecting organization should be using for modern auth, so from their perspective you're crazy for not just using LDAP and have password-change ability function. SAML and SSO are obviously more secure and Snipe reluctantly offers it, but they obviously put zero thought into turning off the password stuff with it. Security isn't Snipe's forte...more of an afterthought. It's an inventory management interface first, security second. |
|
@designatedsuccessor The user already cannot save their password if they were imported via LDAP, and we really don't need the attitude. snipe-it/app/Http/Controllers/ProfileController.php Lines 118 to 120 in 7f5ea30 As you can see, it never actually gets saved if the user was imported via LDAP. LOTS of people still use LDAP.
We always encourage IT Departments to transition to SCIM/SAML, but we cannot force the hands of the IT departments that use us.
Sure, bro. 🙄 If you're not going to be helpful, maybe consider keeping your uninformed opinions to yourself. Nobody is forcing you to use this free software. |
|
@mdvdhurk - we already don't allow the password change to save. I'm working on a PR that will hide those elements for users who are LDAP. It gets a bit harder with SCIM and SAML, since we don't really have a way of knowing which users are SCIM and SAML, but even if they do change their password, it won't really affect anything, since SAML will redirect away from the regular login anyway. |
|
Thanks, appreciated! :) |
Is your feature request related to a problem? Please describe.
When using SCIM and SAML, there is no need for user password changes.
Describe the solution you'd like
Ability for admins to disable password changes and all password-change entry points.
It was said that was delivered as part of #14683 , but I'm not seeing it.
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: