REST should require you to send the old password when updating your password


In Bahmni we have recently developed the Change Password feature for logged in user.Please refer to the following link For developing this feature we have used UserResource2_0 in webservices rest.But this end point doesn’t support verification old password.

Our use case is we need to verify the old password as well, to make sure that person whoever is changing the password is authorized. Capturing new password is not sufficient enough to make sure that the person is authorized. It can happen that one can login to Bahmni and just leave it open for some time and step out for some work/loosing of device.We thought that from security point of view also it is good to capture old password as well. Any inputs/thoughts on this ? @darius @vinay @bharatak @angshuonline

(@padmavati I have moved this post to the #dev category so that more OpenMRS devs see it.)

I agree that it is a bug that the OpenMRS REST API allows a user to change their password without needing to provide the existing one. The underlying Java API does require this (here) and we should maintain the same in the REST API.

So, the right thing to do is to create a ticket and fix this in the REST module.

Want to do that?

Hi @darius

Thanks for the reply. Yes I would like to take this up.

@padmavati, great! Go ahead and create a ticket on (requesting access from if you need it) and share a link here for reference.

We have raised an issue in openmrs. Following is the link

Pull request to accept the old password has been merged. Can you please release webservices-rest ? Bahmni 88 release is dependent on this change password change.

@padmavati are you referring to this? If yes, the ticket status is In Progress, and with a comment that needs a response.

Actually this was already merged. The ticket was not updated to reflect this, but I have updated it now.

@padmavati are you doing the remaining work that Darius mentioned on the ticket?

@dkayiwa Yes, we are doing the remaining work.

@padmavati feel free to ping someone on your team to do the release. Am sure you already have a good number of them with the necessary permissions. :slight_smile:

Thanks daniel. Will ask some one from our team.

@dkayiwa, @raff, we want to release this version of the RESTWS module very soon, since it’s on the critical path for us to get our Bahmni release out, and we’re in the last stages of testing.

However the ticket RESTWS-627 has code committed, but it’s in the Design state. Please help us figure out what to do with this ticket.

1 Like

FYI I poked around about RESTWS-627 and the discussion thread for it is: Module identifiers in RESTWS module