snipe
[Feature Request]: Ability to prevent user password changes
Is your feature request related to a problem? Please describe.
When using SCIM and SAML, there is no need for user password changes.
Describe the solution you'd like
Ability for admins to disable password changes and all password-change entry points.
It was said that was delivered as part of https://github.com/snipe/snipe-it/issues/14683 , but I'm not seeing it.
Describe alternatives you've considered
No response
Additional context
No response
I think this would really be handled already by turning on the LDAP Sync. If you don't have LDAP enabled, it should hide all of the password interfaces.
(It's just phrased a little awkwardly.)
I think this would really be handled already by turning on the LDAP Sync. If you don't have LDAP enabled, it should hide all of the password interfaces.
(It's just phrased a little awkwardly.)
We don't use LDAP at all and can see the password pages and buttons. We use SAML and SCIM.
I think this would really be handled already by turning on the LDAP Sync. If you don't have LDAP enabled, it should hide all of the password interfaces.
(It's just phrased a little awkwardly.)
Following up on this. So if I'm using SAML and SCIM, and not using LDAP at all, should users not be seeing the change-password buttons?
Hi @snipe just looking at this again. Should I not see password-change buttons when using SAML?
@designatedsuccessor did you find a way to do this?
No I did not. I don't think the Snipe-IT people even really understand the issue despite repeated attempts to educate so we gave up. Typical enshittification.
Hi! If I understand correctly, reading https://github.com/snipe/snipe-it/issues/15014#issuecomment-2207373736 this would mean that: If I have an active/switched on LDAP sync, a user logging in using credentials via LDAP, they should not see 'change password' in their profile?
I'm on 7.0.10, which is newer than the referred introduction of disabling this. I have disabled profile edits, and indeed, the buttons to edit profiles are gone, but referring to passwords, users logging in still see the options to change password:
Can you please have another look at this? Thanks!
The Snipe people don't seem to know that LDAP is an old, decrepit protocol that no self-respecting organization should be using for modern auth, so from their perspective you're crazy for not just using LDAP and have password-change ability function. SAML and SSO are obviously more secure and Snipe reluctantly offers it, but they obviously put zero thought into turning off the password stuff with it. Security isn't Snipe's forte...more of an afterthought. It's an inventory management interface first, security second.
@designatedsuccessor The user already cannot save their password if they were imported via LDAP, and we really don't need the attitude.
https://github.com/snipe/snipe-it/blob/7f5ea30904282d2d24c4ed79a936fbb7aaaf1f8d/app/Http/Controllers/ProfileController.php#L118-L120
As you can see, it never actually gets saved if the user was imported via LDAP.
LOTS of people still use LDAP.
SAML and SSO are obviously more secure and Snipe reluctantly offers it so from their perspective you're crazy for not just using LDAP and have password-change ability function
We always encourage IT Departments to transition to SCIM/SAML, but we cannot force the hands of the IT departments that use us.
Security isn't Snipe's forte...more of an afterthought.
Sure, bro. 🙄
If you're not going to be helpful, maybe consider keeping your uninformed opinions to yourself. Nobody is forcing you to use this free software.
@mdvdhurk - we already don't allow the password change to save. I'm working on a PR that will hide those elements for users who are LDAP. It gets a bit harder with SCIM and SAML, since we don't really have a way of knowing which users are SCIM and SAML, but even if they do change their password, it won't really affect anything, since SAML will redirect away from the regular login anyway.