update authz for user password resets

ezekg · ezekg · commit 69421ae06293 · 2025-10-22T10:22:59.000-05:00
diff --git a/app/models/concerns/password_resettable.rb b/app/models/concerns/password_resettable.rb
@@ -15,6 +15,9 @@ def generate_password_reset_token
   end
 
   def send_password_reset_email(token:)
+    return if
+      managed? # managed users aren't allowed to reset password
+
     UserMailer.password_reset(user: self, token: token).deliver_later
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -456,9 +456,11 @@ def free_or_disposable_email?
   def single_sign_on_enabled? = !role.user? && account.sso?
   alias :sso_enabled? :single_sign_on_enabled?
 
-  def password?
-    password_digest?
-  end
+  def password?     = password_digest?
+  def passwordless? = !password?
+
+  # NOTE(ezekg) a "managed user" is a passwordless user with the "user" role
+  def managed?  = account.protected? && has_role?(:user) && passwordless?
 
   def active?(t = 90.days.ago)
     created_at >= t || any_active_licenses.any?
diff --git a/app/policies/users/password_policy.rb b/app/policies/users/password_policy.rb
@@ -17,9 +17,9 @@ def reset?
       verify_permissions!('user.password.reset')
       verify_environment!
 
-      # User's without a password set cannot reset their password if account is protected
+      # users without a password set cannot reset their password
       deny! if
-        user.has_role?(:user) && account.protected? && !user.password?
+        user.managed?
 
       bearer.nil? || user == bearer
     end
