allow enforcing password change for all role types and update reset pwd flow for passwordchangerequired

Author: sudo87

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -1587,8 +1587,9 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
     }
 
     private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user) {
-        if (StringUtils.isNotBlank(updateUserCmd.getPassword()) && isNormalUser(user.getAccountId())) {
-            boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired();
+        if (StringUtils.isNotBlank(updateUserCmd.getPassword())) {
+            boolean isCallerSameAsUser = user.getId() == caller.getId();
+            boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired() && !isCallerSameAsUser;
             // Admins only can enforce passwordChangeRequired for user
             if ((isRootAdmin(caller.getAccountId()) || isDomainAdmin(caller.getAccountId()))) {
                 if (isPasswordResetRequired) {
@@ -1597,11 +1598,8 @@ private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserC
             }
 
             // Remove passwordChangeRequired if user updating own pwd or admin has not enforced it
-            if ((caller.getId() == user.getId()) || !isPasswordResetRequired) {
-                UserDetailVO userDetailVO = _userDetailsDao.findDetail(user.getId(), PasswordChangeRequired);
-                if (userDetailVO != null) {
-                    _userDetailsDao.removeDetail(user.getId(), PasswordChangeRequired);
-                }
+            if (isCallerSameAsUser || !isPasswordResetRequired) {
+                _userDetailsDao.removeDetail(user.getId(), PasswordChangeRequired);
             }
         }
     }

server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java

@@ -48,6 +48,7 @@
 import java.util.Set;
 import java.util.UUID;
 
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordChangeRequired;
 import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordResetToken;
 import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordResetTokenExpiryDate;
 
@@ -247,6 +248,8 @@ void resetPassword(UserAccount userAccount, String password) {
 
         userDetailsDao.removeDetail(userAccount.getId(), PasswordResetToken);
         userDetailsDao.removeDetail(userAccount.getId(), PasswordResetTokenExpiryDate);
+        // remove password change required if user reset password
+        userDetailsDao.removeDetail(userAccount.getId(), PasswordChangeRequired);
 
         userDao.persist(user);
     }

ui/src/views/iam/ChangeUserPassword.vue

@@ -49,7 +49,7 @@
             v-model:value="form.confirmpassword"
             :placeholder="$t('label.confirmpassword.description')"/>
         </a-form-item>
-        <a-form-item v-if="isAdminOrDomainAdmin() && isNormalUserResource()" name="passwordChangeRequired" ref="passwordChangeRequired">
+        <a-form-item v-if="isAdminOrDomainAdmin() && isCallerNotSameAsUser()" name="passwordChangeRequired" ref="passwordChangeRequired">
             <a-checkbox v-model:checked="form.passwordChangeRequired">
               {{ $t('label.change.password.onlogin') }}
             </a-checkbox>
@@ -104,12 +104,13 @@ export default {
         ]
       })
     },
-    isNormalUserResource () {
-      return ['User'].includes(this.resource.roletype)
-    },
     isAdminOrDomainAdmin () {
       return ['Admin', 'DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
     },
+    isCallerNotSameAsUser () {
+      const userId = this.$store.getters.userInfo.id
+      return userId !== this.resource.id
+    },
     isValidValueForKey (obj, key) {
       return key in obj && obj[key] != null
     },

ui/src/views/iam/ForceChangePassword.vue

@@ -167,14 +167,10 @@ export default {
           currentpassword: values.currentpassword
         }
         postAPI('updateUser', params).then(() => {
-          this.$message.success(this.$t('message.success.change.password'))
+          this.$message.success(this.$t('message.please.login.new.password'))
           this.isSubmitted = true
         }).catch(error => {
           console.error(error)
-          this.$notification.error({
-            message: 'Error',
-            description: error.response?.data?.updateuserresponse?.errortext || 'Failed to update password'
-          })
           this.$message.error(this.$t('message.error.change.password'))
         }).finally(() => {
           this.loading = false