Hi all,
this concerns the default reset/change password page for workspace end users in Apex (page 68 in application 4350):
As fas as I know, there is now way to prohibit end users in the workspace to access that page. When end users log into the workspace they are automatically redirected to that page b/c obviously they mustn't use the application builder.
The problem with the page is,that it does not require the end user to submit the old password although the URL looks like follows:
https://host:port/ords/r/apex/workspace-admin/change-password1?p68_user_id=9866909725770877&p68_ask_current=Y&session=6663720172412&cs=...
So the URL contains p68_ask_current=Y but no input field for the current password is displayed. This enables end users to change their password without being compliant with the password complexity rules which in our case specify that the new and old password must differ by at least 2 characters. Developers on the other hand have to specify the old password when changing their password in the application builder.
Does anyone have an idea how to solve this? In my opionion it's a bug.
I am using Apex 24.1 with the latest patch.
Regards,
christof_b