merge with 2.0.0-m3

2025-11-10 15:35:49 +01:00 · 2018-10-01 13:19:20 +02:00
parent 360bb807b9 8b81898f7e
commit 82c44ccbdf
70 changed files with 2224 additions and 487 deletions
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/BranchChangesetCollectionToDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/BranchChangesetCollectionToDtoMapper.java
@@ -0,0 +1,26 @@
+package sonia.scm.api.v2.resources;
+
+import sonia.scm.PageResult;
+import sonia.scm.repository.Changeset;
+import sonia.scm.repository.Repository;
+
+import javax.inject.Inject;
+
+public class BranchChangesetCollectionToDtoMapper extends ChangesetCollectionToDtoMapperBase {
+
+  private final ResourceLinks resourceLinks;
+
+  @Inject
+  public BranchChangesetCollectionToDtoMapper(ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper, ResourceLinks resourceLinks) {
+    super(changesetToChangesetDtoMapper);
+    this.resourceLinks = resourceLinks;
+  }
+
+  public CollectionDto map(int pageNumber, int pageSize, PageResult<Changeset> pageResult, Repository repository, String branch) {
+    return this.map(pageNumber, pageSize, pageResult, repository, () -> createSelfLink(repository, branch));
+  }
+
+  private String createSelfLink(Repository repository, String branch) {
+    return resourceLinks.branch().history(repository.getNamespaceAndName(), branch);
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/BranchRootResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/BranchRootResource.java
@@ -3,6 +3,7 @@ package sonia.scm.api.v2.resources;
 import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import sonia.scm.NotFoundException;
 import sonia.scm.PageResult;
 import sonia.scm.repository.Branches;
 import sonia.scm.repository.Changeset;
@@ -32,14 +33,14 @@ public class BranchRootResource {
  private final BranchToBranchDtoMapper branchToDtoMapper;
  private final BranchCollectionToDtoMapper branchCollectionToDtoMapper;

-  private final ChangesetCollectionToDtoMapper changesetCollectionToDtoMapper;
+  private final BranchChangesetCollectionToDtoMapper branchChangesetCollectionToDtoMapper;

  @Inject
-  public BranchRootResource(RepositoryServiceFactory serviceFactory, BranchToBranchDtoMapper branchToDtoMapper, BranchCollectionToDtoMapper branchCollectionToDtoMapper, ChangesetCollectionToDtoMapper changesetCollectionToDtoMapper) {
+  public BranchRootResource(RepositoryServiceFactory serviceFactory, BranchToBranchDtoMapper branchToDtoMapper, BranchCollectionToDtoMapper branchCollectionToDtoMapper, BranchChangesetCollectionToDtoMapper changesetCollectionToDtoMapper) {
    this.serviceFactory = serviceFactory;
    this.branchToDtoMapper = branchToDtoMapper;
    this.branchCollectionToDtoMapper = branchCollectionToDtoMapper;
-    this.changesetCollectionToDtoMapper = changesetCollectionToDtoMapper;
+    this.branchChangesetCollectionToDtoMapper = changesetCollectionToDtoMapper;
  }

  /**
@@ -98,6 +99,14 @@ public class BranchRootResource {
                          @DefaultValue("0") @QueryParam("page") int page,
                          @DefaultValue("10") @QueryParam("pageSize") int pageSize) throws Exception {
    try (RepositoryService repositoryService = serviceFactory.create(new NamespaceAndName(namespace, name))) {
+      boolean branchExists = repositoryService.getBranchesCommand()
+        .getBranches()
+        .getBranches()
+        .stream()
+        .anyMatch(branch -> branchName.equals(branch.getName()));
+      if (!branchExists){
+        throw new NotFoundException("branch", branchName);
+      }
      Repository repository = repositoryService.getRepository();
      RepositoryPermissions.read(repository).check();
      ChangesetPagingResult changesets = new PagedLogCommandBuilder(repositoryService)
@@ -108,7 +117,7 @@ public class BranchRootResource {
        .getChangesets();
      if (changesets != null && changesets.getChangesets() != null) {
        PageResult<Changeset> pageResult = new PageResult<>(changesets.getChangesets(), changesets.getTotal());
-        return Response.ok(changesetCollectionToDtoMapper.map(page, pageSize, pageResult, repository)).build();
+        return Response.ok(branchChangesetCollectionToDtoMapper.map(page, pageSize, pageResult, repository, branchName)).build();
      } else {
        return Response.ok().build();
      }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangePasswordNotAllowedExceptionMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangePasswordNotAllowedExceptionMapper.java
@@ -0,0 +1,17 @@
+package sonia.scm.api.v2.resources;
+
+import sonia.scm.user.ChangePasswordNotAllowedException;
+
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+
+@Provider
+public class ChangePasswordNotAllowedExceptionMapper implements ExceptionMapper<ChangePasswordNotAllowedException> {
+  @Override
+  public Response toResponse(ChangePasswordNotAllowedException exception) {
+    return Response.status(Response.Status.BAD_REQUEST)
+      .entity(exception.getMessage())
+      .build();
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangesetCollectionToDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangesetCollectionToDtoMapper.java
@@ -5,31 +5,22 @@ import sonia.scm.repository.Changeset;
 import sonia.scm.repository.Repository;

 import javax.inject.Inject;
-import java.util.Optional;
-import java.util.function.Supplier;

-public class ChangesetCollectionToDtoMapper extends PagedCollectionToDtoMapper<Changeset, ChangesetDto> {
+public class ChangesetCollectionToDtoMapper extends ChangesetCollectionToDtoMapperBase {

-  private final ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper;
-  protected final ResourceLinks resourceLinks;
+  private final ResourceLinks resourceLinks;

  @Inject
  public ChangesetCollectionToDtoMapper(ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper, ResourceLinks resourceLinks) {
-    super("changesets");
-    this.changesetToChangesetDtoMapper = changesetToChangesetDtoMapper;
+    super(changesetToChangesetDtoMapper);
    this.resourceLinks = resourceLinks;
  }

  public CollectionDto map(int pageNumber, int pageSize, PageResult<Changeset> pageResult, Repository repository) {
-    return this.map(pageNumber, pageSize, pageResult, repository, () -> createSelfLink(repository));
+    return super.map(pageNumber, pageSize, pageResult, repository, () -> createSelfLink(repository));
  }

-  public CollectionDto map(int pageNumber, int pageSize, PageResult<Changeset> pageResult, Repository repository, Supplier<String> selfLinkSupplier) {
-    return super.map(pageNumber, pageSize, pageResult, selfLinkSupplier.get(), Optional.empty(), changeset -> changesetToChangesetDtoMapper.map(changeset, repository));
-  }
-
-  protected String createSelfLink(Repository repository) {
+  private String createSelfLink(Repository repository) {
    return resourceLinks.changeset().all(repository.getNamespace(), repository.getName());
  }
 }
-
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangesetCollectionToDtoMapperBase.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangesetCollectionToDtoMapperBase.java
@@ -0,0 +1,23 @@
+package sonia.scm.api.v2.resources;
+
+import sonia.scm.PageResult;
+import sonia.scm.repository.Changeset;
+import sonia.scm.repository.Repository;
+
+import java.util.Optional;
+import java.util.function.Supplier;
+
+class ChangesetCollectionToDtoMapperBase extends PagedCollectionToDtoMapper<Changeset, ChangesetDto> {
+
+  private final ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper;
+
+  ChangesetCollectionToDtoMapperBase(ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper) {
+    super("changesets");
+    this.changesetToChangesetDtoMapper = changesetToChangesetDtoMapper;
+  }
+
+  CollectionDto map(int pageNumber, int pageSize, PageResult<Changeset> pageResult, Repository repository, Supplier<String> selfLinkSupplier) {
+    return super.map(pageNumber, pageSize, pageResult, selfLinkSupplier.get(), Optional.empty(), changeset -> changesetToChangesetDtoMapper.map(changeset, repository));
+  }
+}
+
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/FileHistoryCollectionToDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/FileHistoryCollectionToDtoMapper.java
@@ -6,19 +6,22 @@ import sonia.scm.repository.Repository;

 import javax.inject.Inject;

-public class FileHistoryCollectionToDtoMapper extends ChangesetCollectionToDtoMapper {
+public class FileHistoryCollectionToDtoMapper extends ChangesetCollectionToDtoMapperBase {


+  private final ResourceLinks resourceLinks;
+
  @Inject
  public FileHistoryCollectionToDtoMapper(ChangesetToChangesetDtoMapper changesetToChangesetDtoMapper, ResourceLinks resourceLinks) {
-    super(changesetToChangesetDtoMapper, resourceLinks);
+    super(changesetToChangesetDtoMapper);
+    this.resourceLinks = resourceLinks;
  }

  public CollectionDto map(int pageNumber, int pageSize, PageResult<Changeset> pageResult, Repository repository, String revision, String path) {
    return super.map(pageNumber, pageSize, pageResult, repository, () -> createSelfLink(repository, revision, path));
  }

-  protected String createSelfLink(Repository repository, String revision, String path) {
-    return super.resourceLinks.fileHistory().self(repository.getNamespace(), repository.getName(), revision, path);
+  private String createSelfLink(Repository repository, String revision, String path) {
+    return resourceLinks.fileHistory().self(repository.getNamespace(), repository.getName(), revision, path);
  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IdResourceManagerAdapter.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IdResourceManagerAdapter.java
@@ -10,6 +10,7 @@ import sonia.scm.PageResult;

 import javax.ws.rs.core.Response;
 import java.util.Optional;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
@@ -37,6 +38,15 @@ class IdResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
    return singleAdapter.get(loadBy(id), mapToDto);
  }

+  public Response update(String id, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges, Consumer<MODEL_OBJECT> checker) throws NotFoundException, ConcurrentModificationException {
+    return singleAdapter.update(
+      loadBy(id),
+      applyChanges,
+      idStaysTheSame(id),
+      checker
+    );
+  }
+
  public Response update(String id, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges) throws NotFoundException, ConcurrentModificationException {
    return singleAdapter.update(
      loadBy(id),
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InvalidPasswordExceptionMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/InvalidPasswordExceptionMapper.java
@@ -0,0 +1,17 @@
+package sonia.scm.api.v2.resources;
+
+import sonia.scm.user.InvalidPasswordException;
+
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+
+@Provider
+public class InvalidPasswordExceptionMapper implements ExceptionMapper<InvalidPasswordException> {
+  @Override
+  public Response toResponse(InvalidPasswordException exception) {
+    return Response.status(Response.Status.BAD_REQUEST)
+      .entity(exception.getMessage())
+      .build();
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MapperModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MapperModule.java
@@ -8,6 +8,7 @@ public class MapperModule extends AbstractModule {
  @Override
  protected void configure() {
    bind(UserDtoToUserMapper.class).to(Mappers.getMapper(UserDtoToUserMapper.class).getClass());
+    bind(MeToUserDtoMapper.class).to(Mappers.getMapper(MeToUserDtoMapper.class).getClass());
    bind(UserToUserDtoMapper.class).to(Mappers.getMapper(UserToUserDtoMapper.class).getClass());
    bind(UserCollectionToDtoMapper.class);

--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeResource.java
@@ -4,19 +4,27 @@ import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
 import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.credential.PasswordService;
+import sonia.scm.ConcurrentModificationException;
 import sonia.scm.NotFoundException;
+import sonia.scm.user.InvalidPasswordException;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
 import sonia.scm.web.VndMediaType;

 import javax.inject.Inject;
+import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
+import java.util.function.Consumer;
+
+import static sonia.scm.user.InvalidPasswordException.INVALID_MATCHING;


 /**
@@ -24,15 +32,20 @@ import javax.ws.rs.core.UriInfo;
 */
@Path(MeResource.ME_PATH_V2)
 public class MeResource {
-  static final String ME_PATH_V2 = "v2/me/";
+  public static final String ME_PATH_V2 = "v2/me/";

-  private final UserToUserDtoMapper userToDtoMapper;
+  private final MeToUserDtoMapper meToUserDtoMapper;

  private final IdResourceManagerAdapter<User, UserDto> adapter;
+  private final PasswordService passwordService;
+  private final UserManager userManager;
+
  @Inject
-  public MeResource(UserToUserDtoMapper userToDtoMapper, UserManager manager) {
-    this.userToDtoMapper = userToDtoMapper;
+  public MeResource(MeToUserDtoMapper meToUserDtoMapper, UserManager manager, PasswordService passwordService) {
+    this.meToUserDtoMapper = meToUserDtoMapper;
    this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
+    this.passwordService = passwordService;
+    this.userManager = manager;
  }

  /**
@@ -50,6 +63,34 @@ public class MeResource {
  public Response get(@Context Request request, @Context UriInfo uriInfo) throws NotFoundException {

    String id = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
-    return adapter.get(id, userToDtoMapper::map);
+    return adapter.get(id, meToUserDtoMapper::map);
+  }
+
+  /**
+   * Change password of the current user
+   */
+  @PUT
+  @Path("password")
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "update success"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  @TypeHint(TypeHint.NO_CONTENT.class)
+  @Consumes(VndMediaType.PASSWORD_CHANGE)
+  public Response changePassword(PasswordChangeDto passwordChangeDto) throws NotFoundException, ConcurrentModificationException {
+    String name = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
+    return adapter.update(name, user -> user.changePassword(passwordService.encryptPassword(passwordChangeDto.getNewPassword())), userManager.getUserTypeChecker().andThen(getOldOriginalPasswordChecker(passwordChangeDto.getOldPassword())));
+  }
+
+  /**
+   * Match given old password from the dto with the stored password before updating
+   */
+  private Consumer<User> getOldOriginalPasswordChecker(String oldPassword) {
+    return user -> {
+      if (!user.getPassword().equals(passwordService.encryptPassword(oldPassword))) {
+        throw new InvalidPasswordException(INVALID_MATCHING);
+      }
+    };
  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeToUserDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeToUserDtoMapper.java
@@ -0,0 +1,42 @@
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.Links;
+import org.mapstruct.AfterMapping;
+import org.mapstruct.Mapper;
+import org.mapstruct.MappingTarget;
+import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
+import sonia.scm.user.UserPermissions;
+
+import javax.inject.Inject;
+
+import static de.otto.edison.hal.Link.link;
+import static de.otto.edison.hal.Links.linkingTo;
+
+@Mapper
+public abstract class MeToUserDtoMapper extends UserToUserDtoMapper{
+
+  @Inject
+  private UserManager userManager;
+
+  @Inject
+  private ResourceLinks resourceLinks;
+
+
+  @Override
+  @AfterMapping
+  protected void appendLinks(User user, @MappingTarget UserDto target) {
+    Links.Builder linksBuilder = linkingTo().self(resourceLinks.me().self());
+    if (UserPermissions.delete(user).isPermitted()) {
+      linksBuilder.single(link("delete", resourceLinks.me().delete(target.getName())));
+    }
+    if (UserPermissions.modify(user).isPermitted()) {
+      linksBuilder.single(link("update", resourceLinks.me().update(target.getName())));
+    }
+    if (userManager.isTypeDefault(user)) {
+      linksBuilder.single(link("password", resourceLinks.me().passwordChange()));
+    }
+    target.add(linksBuilder.build());
+  }
+
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PasswordChangeDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PasswordChangeDto.java
@@ -0,0 +1,17 @@
+package sonia.scm.api.v2.resources;
+
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.hibernate.validator.constraints.NotEmpty;
+
+@Getter
+@Setter
+@ToString
+public class PasswordChangeDto {
+
+  private String oldPassword;
+
+  @NotEmpty
+  private String newPassword;
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionRootResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionRootResource.java
@@ -162,7 +162,7 @@ public class PermissionRootResource {
    RepositoryPermissions.permissionWrite(repository).check();
    String extractedPermissionName = getPermissionName(permissionName);
    if (!isPermissionExist(new PermissionDto(extractedPermissionName, isGroupPermission(permissionName)), repository)) {
-      throw new NotFoundException("the permission " + extractedPermissionName + " does not exist");
+      throw new NotFoundException("permission", extractedPermissionName);
    }
    permission.setGroupPermission(isGroupPermission(permissionName));
    if (!extractedPermissionName.equals(permission.getName())) {
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java
@@ -3,6 +3,7 @@ package sonia.scm.api.v2.resources;
 import sonia.scm.repository.NamespaceAndName;

 import javax.inject.Inject;
+import javax.ws.rs.core.UriInfo;
 import java.net.URI;

 class ResourceLinks {
@@ -85,8 +86,43 @@ class ResourceLinks {
    String update(String name) {
      return userLinkBuilder.method("getUserResource").parameters(name).method("update").parameters().href();
    }
+
+    public String passwordChange(String name) {
+      return userLinkBuilder.method("getUserResource").parameters(name).method("changePassword").parameters().href();
+    }
  }

+  MeLinks me() {
+    return new MeLinks(scmPathInfoStore.get(), this.user());
+  }
+
+  static class MeLinks {
+    private final LinkBuilder meLinkBuilder;
+    private UserLinks userLinks;
+
+    MeLinks(ScmPathInfo pathInfo, UserLinks user) {
+      meLinkBuilder = new LinkBuilder(pathInfo, MeResource.class);
+      userLinks = user;
+    }
+
+    String self() {
+      return meLinkBuilder.method("get").parameters().href();
+    }
+
+    String delete(String name) {
+      return userLinks.delete(name);
+    }
+
+    String update(String name) {
+      return userLinks.update(name);
+    }
+
+    public String passwordChange() {
+      return meLinkBuilder.method("changePassword").parameters().href();
+    }
+  }
+
+
  UserCollectionLinks userCollection() {
    return new UserCollectionLinks(scmPathInfoStore.get());
  }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/SingleResourceManagerAdapter.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/SingleResourceManagerAdapter.java
@@ -11,6 +11,7 @@ import javax.ws.rs.core.GenericEntity;
 import javax.ws.rs.core.Response;
 import java.util.Collection;
 import java.util.Optional;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
@@ -53,6 +54,11 @@ class SingleResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
      .map(Response.ResponseBuilder::build)
      .orElseThrow(NotFoundException::new);
  }
+  public Response update(Supplier<Optional<MODEL_OBJECT>> reader, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges, Predicate<MODEL_OBJECT> hasSameKey, Consumer<MODEL_OBJECT> checker) throws NotFoundException, ConcurrentModificationException {
+    MODEL_OBJECT existingModelObject = reader.get().orElseThrow(NotFoundException::new);
+    checker.accept(existingModelObject);
+    return update(reader,applyChanges,hasSameKey);
+  }

  /**
   * Update the model object for the given id according to the given function and returns a corresponding http response.
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/TagToTagDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/TagToTagDtoMapper.java
@@ -28,7 +28,7 @@ public abstract class TagToTagDtoMapper {
    Links.Builder linksBuilder = linkingTo()
      .self(resourceLinks.tag().self(namespaceAndName.getNamespace(), namespaceAndName.getName(), target.getName()))
      .single(link("sources", resourceLinks.source().self(namespaceAndName.getNamespace(), namespaceAndName.getName(), target.getRevision())))
-      .single(link("changesets", resourceLinks.changeset().self(namespaceAndName.getNamespace(), namespaceAndName.getName(), target.getRevision())));
+      .single(link("changeset", resourceLinks.changeset().self(namespaceAndName.getNamespace(), namespaceAndName.getName(), target.getRevision())));
    target.add(linksBuilder.build());
  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserCollectionResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserCollectionResource.java
@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.ResponseHeader;
 import com.webcohesion.enunciate.metadata.rs.ResponseHeaders;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import org.apache.shiro.authc.credential.PasswordService;
 import sonia.scm.AlreadyExistsException;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
@@ -29,14 +30,16 @@ public class UserCollectionResource {
  private final ResourceLinks resourceLinks;

  private final IdResourceManagerAdapter<User, UserDto> adapter;
+  private final PasswordService passwordService;

  @Inject
  public UserCollectionResource(UserManager manager, UserDtoToUserMapper dtoToUserMapper,
-    UserCollectionToDtoMapper userCollectionToDtoMapper, ResourceLinks resourceLinks) {
+                                UserCollectionToDtoMapper userCollectionToDtoMapper, ResourceLinks resourceLinks, PasswordService passwordService) {
    this.dtoToUserMapper = dtoToUserMapper;
    this.userCollectionToDtoMapper = userCollectionToDtoMapper;
    this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
    this.resourceLinks = resourceLinks;
+    this.passwordService = passwordService;
  }

  /**
@@ -89,8 +92,6 @@ public class UserCollectionResource {
  @TypeHint(TypeHint.NO_CONTENT.class)
  @ResponseHeaders(@ResponseHeader(name = "Location", description = "uri to the created user"))
  public Response create(@Valid UserDto userDto) throws AlreadyExistsException {
-    return adapter.create(userDto,
-                          () -> dtoToUserMapper.map(userDto, ""),
-      user -> resourceLinks.user().self(user.getName()));
+    return adapter.create(userDto, () -> dtoToUserMapper.map(userDto, passwordService.encryptPassword(userDto.getPassword())), user -> resourceLinks.user().self(user.getName()));
  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserDto.java
@@ -26,6 +26,7 @@ public class UserDto extends HalRepresentation {
  private String mail;
  @Pattern(regexp = "^[A-z0-9\\.\\-_@]|[^ ]([A-z0-9\\.\\-_@ ]*[A-z0-9\\.\\-_@]|[^ ])?$")
  private String name;
+  @JsonInclude(JsonInclude.Include.NON_NULL)
  private String password;
  private String type;
  private Map<String, String> properties;
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserDtoToUserMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserDtoToUserMapper.java
@@ -1,37 +1,35 @@
 package sonia.scm.api.v2.resources;

-import org.apache.shiro.authc.credential.PasswordService;
+import org.mapstruct.AfterMapping;
 import org.mapstruct.Context;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
-import org.mapstruct.Named;
+import org.mapstruct.MappingTarget;
 import sonia.scm.user.User;

-import javax.inject.Inject;
-
-import java.time.Instant;
-
-import static sonia.scm.api.rest.resources.UserResource.DUMMY_PASSWORT;
-
 // Mapstruct does not support parameterized (i.e. non-default) constructors. Thus, we need to use field injection.
@SuppressWarnings("squid:S3306")
@Mapper
 public abstract class UserDtoToUserMapper extends BaseDtoMapper {

-  @Inject
-  private PasswordService passwordService;
-
-  @Mapping(source = "password", target = "password", qualifiedByName = "encrypt")
  @Mapping(target = "creationDate", ignore = true)
-  public abstract User map(UserDto userDto, @Context String originalPassword);
+  public abstract User map(UserDto userDto, @Context String usedPassword);

-  @Named("encrypt")
-  String encrypt(String password, @Context String originalPassword) {

-    if (DUMMY_PASSWORT.equals(password)) {
-      return originalPassword;
-    } else {
-      return passwordService.encryptPassword(password);
-    }
+  /**
+   * depends on the use case the right password will be mapped.
+   * The given Password in the context parameter will be set.
+   * The mapper consumer have the control of what password should be set.
+   * </p>
+   * eg. for update user action the password will be set to the original password
+   * for create user and change password actions the password is the user input
+   *
+   * @param usedPassword the password to be set
+   * @param user         the target
+   */
+  @AfterMapping
+  void overridePassword(@MappingTarget User user, @Context String usedPassword) {
+    user.setPassword(usedPassword);
  }
+
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java
@@ -3,6 +3,7 @@ package sonia.scm.api.v2.resources;
 import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import org.apache.shiro.authc.credential.PasswordService;
 import sonia.scm.ConcurrentModificationException;
 import sonia.scm.NotFoundException;
 import sonia.scm.user.User;
@@ -26,12 +27,16 @@ public class UserResource {
  private final UserToUserDtoMapper userToDtoMapper;

  private final IdResourceManagerAdapter<User, UserDto> adapter;
+  private final UserManager userManager;
+  private final PasswordService passwordService;

  @Inject
-  public UserResource(UserDtoToUserMapper dtoToUserMapper, UserToUserDtoMapper userToDtoMapper, UserManager manager) {
+  public UserResource(UserDtoToUserMapper dtoToUserMapper, UserToUserDtoMapper userToDtoMapper, UserManager manager, PasswordService passwordService) {
    this.dtoToUserMapper = dtoToUserMapper;
    this.userToDtoMapper = userToDtoMapper;
    this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
+    this.userManager = manager;
+    this.passwordService = passwordService;
  }

  /**
@@ -40,7 +45,6 @@ public class UserResource {
   * <strong>Note:</strong> This method requires "user" privilege.
   *
   * @param id the id/name of the user
-   *
   */
  @GET
  @Path("")
@@ -63,7 +67,6 @@ public class UserResource {
   * <strong>Note:</strong> This method requires "user" privilege.
   *
   * @param name the name of the user to delete.
-   *
   */
  @DELETE
  @Path("")
@@ -80,10 +83,11 @@ public class UserResource {

  /**
   * Modifies the given user.
+   * The given Password in the payload will be ignored. To Change Password use the changePassword endpoint
   *
   * <strong>Note:</strong> This method requires "user" privilege.
   *
-   * @param name name of the user to be modified
+   * @param name    name of the user to be modified
   * @param userDto user object to modify
   */
  @PUT
@@ -101,4 +105,30 @@ public class UserResource {
  public Response update(@PathParam("id") String name, @Valid UserDto userDto) throws NotFoundException, ConcurrentModificationException {
    return adapter.update(name, existing -> dtoToUserMapper.map(userDto, existing.getPassword()));
  }
+
+  /**
+   * This Endpoint is for Admin user to modify a user password.
+   * The oldPassword property of the DTO is not needed here. it will be ignored.
+   * The oldPassword property is needed in the MeResources when the actual user change the own password.
+   *
+   * <strong>Note:</strong> This method requires "user:modify" privilege.
+   * @param name              name of the user to be modified
+   * @param passwordChangeDto change password object to modify password. the old password is here not required
+   */
+  @PUT
+  @Path("password")
+  @Consumes(VndMediaType.PASSWORD_CHANGE)
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "update success"),
+    @ResponseCode(code = 400, condition = "Invalid body, e.g. the user type is not xml or the given oldPassword do not match the stored one"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 403, condition = "not authorized, the current user does not have the \"user\" privilege"),
+    @ResponseCode(code = 404, condition = "not found, no user with the specified id/name available"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  @TypeHint(TypeHint.NO_CONTENT.class)
+  public Response changePassword(@PathParam("id") String name, @Valid PasswordChangeDto passwordChangeDto) throws NotFoundException, ConcurrentModificationException {
+    return adapter.update(name, user -> user.changePassword(passwordService.encryptPassword(passwordChangeDto.getNewPassword())), userManager.getUserTypeChecker());
+  }
+
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
@@ -4,9 +4,10 @@ import com.google.common.annotations.VisibleForTesting;
 import de.otto.edison.hal.Links;
 import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
 import org.mapstruct.MappingTarget;
-import sonia.scm.api.rest.resources.UserResource;
 import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
 import sonia.scm.user.UserPermissions;

 import javax.inject.Inject;
@@ -19,19 +20,17 @@ import static de.otto.edison.hal.Links.linkingTo;
@Mapper
 public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {

+  @Inject
+  private UserManager userManager;
+
+  @Override
+  @Mapping(target = "attributes", ignore = true)
+  @Mapping(target = "password", ignore = true)
+  public abstract UserDto map(User modelObject);
+
  @Inject
  private ResourceLinks resourceLinks;

-  @VisibleForTesting
-  void setResourceLinks(ResourceLinks resourceLinks) {
-    this.resourceLinks = resourceLinks;
-  }
-
-  @AfterMapping
-  void removePassword(@MappingTarget UserDto target) {
-    target.setPassword(UserResource.DUMMY_PASSWORT);
-  }
-
  @AfterMapping
  protected void appendLinks(User user, @MappingTarget UserDto target) {
    Links.Builder linksBuilder = linkingTo().self(resourceLinks.user().self(target.getName()));
@@ -41,6 +40,9 @@ public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
    if (UserPermissions.modify(user).isPermitted()) {
      linksBuilder.single(link("update", resourceLinks.user().update(target.getName())));
    }
+    if (userManager.isTypeDefault(user)) {
+      linksBuilder.single(link("password", resourceLinks.user().passwordChange(target.getName())));
+    }
    target.add(linksBuilder.build());
  }