Affects Version/s: 7.2.X, 7.3.X, Master
Component/s: User Management
Liferay doesn't have a toggle for enabling and disabling Password Verification for user account changes. It is enabled by default starting with LPS-112726. Although the security concerns are completely valid, this use case doesn't take SSO usage into consideration. When using SSOs, the assumption is that the user will never need to manage, know, or even have a Liferay application password. This property to enforce Password Verification for user account changes (on email address or screen names) should be allowed to be disabled.
Steps to Reproduce
- Start Liferay
- Sign in to Liferay
- Create a new user
- Sign in as the new user
- Edit the user's account settings
- Change the email address or screen name
- Click Save
Due to LPS-112726, we get a prompt that a password is required.
LPS-112726 needs to consider environments that use an SSO where a Liferay password is not maintained or used. I would expect that there is a toggle or property to disable this functionality.
- 7.3.x-private Commit: 8216c588e3d7d5ffb0819ecc815f1fd53207c8c7
- Master-private Commit: ad820095bf57409341e820a33604db87e19c8451