)]}'
{"openstack_dashboard/api/rest/keystone.py":[{"author":{"_account_id":9576,"name":"Thai Tran","email":"tqtran@us.ibm.com","username":"tqtran"},"change_message_id":"5d53ff5ca47dae2a046946ba2adce80684e6f1a5","unresolved":false,"context_lines":[{"line_number":158,"context_line":""},{"line_number":159,"context_line":"        if \u0027password\u0027 in keys:"},{"line_number":160,"context_line":"            change_password \u003d True"},{"line_number":161,"context_line":"            if \u0027admin_password\u0027 in keys:"},{"line_number":162,"context_line":"                admin_password \u003d request.DATA[\u0027admin_password\u0027]"},{"line_number":163,"context_line":"                change_password \u003d api.keystone.user_verify_admin_password("},{"line_number":164,"context_line":"                    request, admin_password)"}],"source_content_type":"text/x-python","patch_set":1,"id":"fa1b9901_a10f2487","line":161,"updated":"2015-08-25 00:35:38.000000000","message":"All we are checking for here is whether or not admin_password is present. This is not very secure because I can just invoke this API without an admin_password to change someone\u0027s password even though ENFORCE_PASSWORD_CHECK is enabled in settings.","commit_id":"f057babb3dd199ad3bfcdef76caf04271490be9f"},{"author":{"_account_id":9622,"name":"Cindy Lu","email":"clu@us.ibm.com","username":"clu14"},"change_message_id":"71d7c44484abe3e91b4b4994fd3d8a21aa120204","unresolved":false,"context_lines":[{"line_number":158,"context_line":""},{"line_number":159,"context_line":"        if \u0027password\u0027 in keys:"},{"line_number":160,"context_line":"            change_password \u003d True"},{"line_number":161,"context_line":"            if \u0027admin_password\u0027 in keys:"},{"line_number":162,"context_line":"                admin_password \u003d request.DATA[\u0027admin_password\u0027]"},{"line_number":163,"context_line":"                change_password \u003d api.keystone.user_verify_admin_password("},{"line_number":164,"context_line":"                    request, admin_password)"}],"source_content_type":"text/x-python","patch_set":1,"id":"fa1b9901_fb703d42","line":161,"in_reply_to":"fa1b9901_a10f2487","updated":"2015-08-25 18:48:21.000000000","message":"Hi, not sure I understand your problem.  ENFORCE_PASSWORD_CHECK would be checked on the UI (something like https://review.openstack.org/#/c/176540/3/openstack_dashboard/dashboards/identity/users/templates/users/form.html) - so the admin_password would be in the object passed here.","commit_id":"f057babb3dd199ad3bfcdef76caf04271490be9f"},{"author":{"_account_id":9576,"name":"Thai Tran","email":"tqtran@us.ibm.com","username":"tqtran"},"change_message_id":"39c081e6bc167420f134c6222a5713295cb48424","unresolved":false,"context_lines":[{"line_number":158,"context_line":""},{"line_number":159,"context_line":"        if \u0027password\u0027 in keys:"},{"line_number":160,"context_line":"            change_password \u003d True"},{"line_number":161,"context_line":"            if \u0027admin_password\u0027 in keys:"},{"line_number":162,"context_line":"                admin_password \u003d request.DATA[\u0027admin_password\u0027]"},{"line_number":163,"context_line":"                change_password \u003d api.keystone.user_verify_admin_password("},{"line_number":164,"context_line":"                    request, admin_password)"}],"source_content_type":"text/x-python","patch_set":1,"id":"9a68dd71_4f434aaf","line":161,"in_reply_to":"fa1b9901_fb703d42","updated":"2016-01-26 02:02:49.000000000","message":"Understood, you\u0027re assuming that I\u0027m making the REST api from the UI. If you\u0027re making this call from a web REST client, you could bypass the check entirely.","commit_id":"f057babb3dd199ad3bfcdef76caf04271490be9f"}]}