feat(FGAPv2): introduce RESET_PASSWORD scope and evaluation

- Add RESET_PASSWORD to AdminPermissionsSchema.USERS
- Require RESET_PASSWORD in UserResource.resetPassword()
- Expose canResetPassword()/requireResetPassword()
- Implement FGAP v2 deny-overrides + secure-by-default + optional fallback
- Include access.resetPassword for Admin Console

Closes #41901

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Bagautdino <336373@edu.itmo.ru>
This commit is contained in:
Bagautdino
2025-08-15 11:53:02 +03:00
committed by Pedro Igor
parent 28d3b2dd29
commit d225bce21f
16 changed files with 199 additions and 17 deletions

View File

@@ -68,6 +68,8 @@ set of scopes:
| *manage-group-membership* | Defines if a realm administrator can assign or unassign users to/from groups. | None
| *map-roles* | Defines if a realm administrator can assign or unassign roles to/from users. | None
| *impersonate* | Defines if a realm administrator can impersonate other users. | `impersonate-members`
| *reset-password* | Defines if a realm administrator can reset user passwords. By default, this scope falls | None
back to `manage` scope behavior (configurable via `fgap.v2.resetPassword.fallbackToManageUsers`).
|===
The user resource type has a strong relationship with some of the permissions you can set to groups. Most of the time,