diff --git a/.changeset/lemon-pets-wait.md b/.changeset/lemon-pets-wait.md new file mode 100644 index 00000000000..264de80731a --- /dev/null +++ b/.changeset/lemon-pets-wait.md @@ -0,0 +1,6 @@ +--- +"@wso2is/admin.validation.v1": patch +"@wso2is/console": patch +--- + +Disable rule based password expiry for users without required scopes diff --git a/apps/console/src/public/deployment.config.json b/apps/console/src/public/deployment.config.json index 831f821ca3f..72fabfe981c 100644 --- a/apps/console/src/public/deployment.config.json +++ b/apps/console/src/public/deployment.config.json @@ -732,9 +732,7 @@ "console:loginAndRegistration" ], "read": [ - "internal_governance_view", - "internal_group_mgt_view", - "internal_role_mgt_view" + "internal_governance_view" ], "update": [ "internal_config_update", diff --git a/features/admin.validation.v1/constants/validation-config-constants.ts b/features/admin.validation.v1/constants/validation-config-constants.ts index 9ecd2d3b615..b51be91a1a0 100644 --- a/features/admin.validation.v1/constants/validation-config-constants.ts +++ b/features/admin.validation.v1/constants/validation-config-constants.ts @@ -41,6 +41,14 @@ export class ValidationConfigConstants { PASSWORD_MIN_VALUE: 5 }; + /** + * These scopes are checked to determine whether to display the new rule-based password expiry configuration UI. + * If these scopes are not available, legacy password expiry configuration will be shown for backward compatibility. + */ + public static readonly RULE_BASED_PASSWORD_EXPIRY_REQUIRED_SCOPES: string[] = [ + "internal_role_mgt_view", + "internal_group_mgt_view" + ]; } /** diff --git a/features/admin.validation.v1/pages/validation-config-edit.tsx b/features/admin.validation.v1/pages/validation-config-edit.tsx index 297e5ea5fed..8218b1703b5 100644 --- a/features/admin.validation.v1/pages/validation-config-edit.tsx +++ b/features/admin.validation.v1/pages/validation-config-edit.tsx @@ -97,7 +97,6 @@ export const ValidationConfigEditPage: FunctionComponent state?.config?.ui?.features?.loginAndRegistration?.disabledFeatures); - const isRuleBasedPasswordExpiryDisabled: boolean = disabledFeatures?.includes("ruleBasedPasswordExpiry"); const featureConfig: FeatureConfigInterface = useSelector((state: AppState) => state?.config?.ui?.features); const [ isSubmitting, setSubmitting ] = useState(false); @@ -137,6 +136,10 @@ export const ValidationConfigEditPage: FunctionComponent([]); const isReadOnly: boolean = !useRequiredScopes(featureConfig?.governanceConnectors?.scopes?.update); + const hasScopesForRuleBasedPasswordExpiry: boolean = + useRequiredScopes(ValidationConfigConstants.RULE_BASED_PASSWORD_EXPIRY_REQUIRED_SCOPES); + const isRuleBasedPasswordExpiryDisabled: boolean = disabledFeatures?.includes("ruleBasedPasswordExpiry") + || !hasScopesForRuleBasedPasswordExpiry; const { data: passwordHistoryCountData, @@ -600,14 +603,21 @@ export const ValidationConfigEditPage: FunctionComponent { if (hasPasswordExpiryRuleErrors) return; - const processedFormValues: ValidationFormInterface = { + let processedFormValues: ValidationFormInterface = { ...values, - passwordExpiryEnabled: passwordExpiryEnabled, - passwordExpiryRules: processPasswordExpiryRules(), - passwordExpirySkipFallback: passwordExpirySkipFallback, - passwordExpiryTime: defaultPasswordExpiryTime + passwordExpiryEnabled: passwordExpiryEnabled }; + if (!isRuleBasedPasswordExpiryDisabled) { + processedFormValues = { + ...values, + passwordExpiryEnabled: passwordExpiryEnabled, + passwordExpiryRules: processPasswordExpiryRules(), + passwordExpirySkipFallback: passwordExpirySkipFallback, + passwordExpiryTime: defaultPasswordExpiryTime + }; + } + const updatePasswordPolicies: Promise = serverConfigurationConfig.processPasswordPoliciesSubmitData( processedFormValues, !isPasswordInputValidationEnabled