In Bahmni we have recently developed the Change Password feature for logged in user.Please refer to the following link
For developing this feature we have used UserResource2_0 in webservices rest.But this end point doesn’t support verification old password.
Our use case is we need to verify the old password as well, to make sure that person whoever is changing the password is authorized. Capturing new password is not sufficient enough to make sure that the person is authorized. It can happen that one can login to Bahmni and just leave it open for some time and step out for some work/loosing of device.We thought that from security point of view also it is good to capture old password as well. Any inputs/thoughts on this ?
(@padmavati I have moved this post to the #dev category so that more OpenMRS devs see it.)
I agree that it is a bug that the OpenMRS REST API allows a user to change their password without needing to provide the existing one. The underlying Java API does require this (here) and we should maintain the same in the REST API.
So, the right thing to do is to create a ticket and fix this in the REST module.