From 675e5514841906438ff7a4ead09d7c79336b9e41 Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Wed, 23 Jun 2021 15:59:13 -0700
Subject: [PATCH] Fix authorization check in reset password (#1182)

Improper authorization checks made it so that users could not reset
their password with a reset token.
---
 server/service/service_users.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/server/service/service_users.go b/server/service/service_users.go
index 08ec132caa..9d4955d0d2 100644
--- a/server/service/service_users.go
+++ b/server/service/service_users.go
@@ -299,19 +299,20 @@ func (svc *Service) ChangePassword(ctx context.Context, oldPass, newPass string)
 }
 
 func (svc *Service) ResetPassword(ctx context.Context, token, password string) error {
+	// skipauth: No viewer context available. The user is locked out of their
+	// account and authNZ is performed entirely by providing a valid password
+	// reset token.
+	svc.authz.SkipAuthorization(ctx)
+
 	reset, err := svc.ds.FindPassswordResetByToken(token)
 	if err != nil {
 		return errors.Wrap(err, "looking up reset by token")
 	}
-	user, err := svc.User(ctx, reset.UserID)
+	user, err := svc.ds.UserByID(reset.UserID)
 	if err != nil {
 		return errors.Wrap(err, "retrieving user")
 	}
 
-	if err := svc.authz.Authorize(ctx, user, fleet.ActionWrite); err != nil {
-		return err
-	}
-
 	if user.SSOEnabled {
 		return errors.New("password reset for single sign on user not allowed")
 	}