Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2005
    Posts
    196

    Unanswered: Security letting me change other passwords!

    Hi,

    I'm trying to code a facility whereby a user can change their own password, but not anyone elses. This is the code I have right now:

    Code:
    DBEngine(0).Users(UName).NewPassword OldPwsd, newPwd
    If I'm logged in as Marmaduke, it is letting me change other users' passwords, however, it's not letting me change marmaduke's password giving error number 3033 - "You do not have the necessary permissions...." etc! This is the opposite of what I want to happen. When logged in as Developer, it lets me change anyone's password (which is fine). How do I let it change my own password but not anyone elses when logged in as a normal user?

  2. #2
    Join Date
    Aug 2005
    Posts
    196
    I've got a bit further with this:

    The user is in the admins group and therefore has therefore got the ability to change other users' passwords without entering the old one. I want to code out this facility so using the following code:

    Code:
    DBEngine.Workspaces(0).Users(UName).NewPassword OldPwsd, newPwd
    Exit sub

    handleErr:
    if err.number=3033 then
    Msgbox "The current passowrd is incorrect"


    If the password you are trying to change is your own, it picks up an error if you type the wrong current password. However, when it's another user, it does not pick up an error, therefore enabling you to change another users' password without correctly entering the old one! How can I pick up that the current password is incorrect?

  3. #3
    Join Date
    Nov 2004
    Location
    Harrogate, N.Yorks, UK
    Posts
    83
    Can you not just add the 'user and group accounts' button to the toolbar? The password change from the 'change logon password' tab only allows a change to the account that the user is logged in on anyway unless they are part of the Admin group.

  4. #4
    Join Date
    Aug 2005
    Posts
    196
    The problem is I need to have the users set as admin so that they can add new users, however, I don't want them to be able to change passwords of other users without having to correctly enter the existing password. Being part of the admin group enables them to do that. I can block them from changing any passwords at all by testing if they are not in the fullaccess group. However, if they are in the full access group, I want them to be able to change the password of another user, but not without correctly entering the exisiting password.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •