2 Replies Latest reply on Jan 15, 2018 10:16 AM by mnudel RSS
    mnudel Apprentice

    How to enable a user to change his password safely?

    I removed 'Users' user group from 'Everyone' organisation in order to implement granular visibility as suggested in ThingWorx documentation. There is no associated user or user group in 'Users' and 'User Groups' collections. Service invoke is enabled via override.

     

    From the code below, one can conclude that in order to change his/hers password, a user must be able to 'see' his own user entity. For that to happen, an entity must have a 'Visibility' set to a particular organisational unit. A user must be a member of that organisational unit.

     

    As a result, he/she would be able to acquire a list of ALL users linked to that organisational unit simply by modifying a url ('https://myapp.twx.com/ThingWorx/Users'). Surely, there must be an alternative way without compromising on sensitive information. Thank you.

     

    var params = {  
         newPasswordConfirm: newPasswordConfirm /* STRING */,  
         oldPassword: oldPassword /* STRING */,  
         newPassword: newPassword /* STRING */  
    };  
      
    // no return  
    Users[userName].ChangePassword(params);