allow users to reset their own password/2fa fixes #686

2021-09-04 22:15:51 +00:00
parent 44182ec683
commit f772a4ec56
1 changed files with 15 additions and 0 deletions
--- a/api/tacticalrmm/accounts/permissions.py
+++ b/api/tacticalrmm/accounts/permissions.py
@@ -8,6 +8,21 @@ class AccountsPerms(permissions.BasePermission):
        if r.method == "GET":
            return True

+        # allow users to reset their own password/2fa see issue #686
+        base_path = "/accounts/users/"
+        paths = ["reset/", "reset_totp/"]
+
+        if r.path in [base_path + i for i in paths]:
+            from accounts.models import User
+
+            try:
+                user = User.objects.get(pk=r.data["id"])
+            except User.DoesNotExist:
+                pass
+            else:
+                if user == r.user:
+                    return True
+
        return _has_perm(r, "can_manage_accounts")