Password reset without requiring old password

Document ID : KB000098955
Last Modified Date : 31/05/2018
Show Technical Document Details
Issue:
 While changing the password, users can change the password without providing the current one [old password field].
Environment:
In the roles and tasks XML file Password Reset task,  Modify Security Settings, is not a public task (public="false"):

<ImsTask name="Modify Security Settings" tasktype="ADMIN" category="Home" application="SELF_MODIFY" tag="ModifySecuritySettings" action="SELF_MODIFY" object="USER" system="true" auditable="true" provisionable="true" workflow="true" external="false" hidden="false" public="false" checkscope="false" scopesecurity="AllObjectsInScope" autosynch="OFF" autoaccountsynch="AT_END" webservice="false" priority="4" category2="Tasks" category3="" taskorder="30" categoryorder="0" category2order="0" category3order="0" automaticexecution="false">

Based on the configuration, the task is is working as designed.

Once you are logged in, you are already authorized and authenticated and therefore there is no need to submit a current password.

The screen shots from View Submitted Tasks show the password reset event working correctly as it shows the old and new values.

Only for public tasks in which users must be authenticated they are required to submit their current password.

If the task was a self service (public) task, it would require the user to input the old password.
Resolution:
In the roles and tasks XML file Password Reset task,  Modify Security Settings, is not a public task (public="false"):

<ImsTask name="Modify Security Settings" tasktype="ADMIN" category="Home" application="SELF_MODIFY" tag="ModifySecuritySettings" action="SELF_MODIFY" object="USER" system="true" auditable="true" provisionable="true" workflow="true" external="false" hidden="false" public="false" checkscope="false" scopesecurity="AllObjectsInScope" autosynch="OFF" autoaccountsynch="AT_END" webservice="false" priority="4" category2="Tasks" category3="" taskorder="30" categoryorder="0" category2order="0" category3order="0" automaticexecution="false">

Based on the configuration, the task is is working as designed.

Once you are logged in, you are already authorized and authenticated and therefore there is no need to submit a current password.

The screen shots from View Submitted Tasks show the password reset event working correctly as it shows the old and new values.

Only for public tasks in which users must be authenticated they are required to submit their current password.

If the task was a self service (public) task, it would require the user to input the old password.