Merge with 2.0.0-m3

scm-webapp/src/test/java/sonia/scm/api/v2/resources/DispatcherMock.java

@@ -15,6 +15,8 @@ public class DispatcherMock {
     dispatcher.getProviderFactory().registerProvider(AuthorizationExceptionMapper.class);
     dispatcher.getProviderFactory().registerProvider(ConcurrentModificationExceptionMapper.class);
     dispatcher.getProviderFactory().registerProvider(InternalRepositoryExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(ChangePasswordNotAllowedExceptionMapper.class);
+    dispatcher.getProviderFactory().registerProvider(InvalidPasswordExceptionMapper.class);
     return dispatcher;
   }
 }

scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeResourceTest.java

@@ -2,11 +2,12 @@ package sonia.scm.api.v2.resources;
 
 import com.github.sdorra.shiro.ShiroRule;
 import com.github.sdorra.shiro.SubjectAware;
+import org.apache.shiro.authc.credential.PasswordService;
 import org.jboss.resteasy.core.Dispatcher;
-import org.jboss.resteasy.mock.MockDispatcherFactory;
 import org.jboss.resteasy.mock.MockHttpRequest;
 import org.jboss.resteasy.mock.MockHttpResponse;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
@@ -22,11 +23,17 @@ import java.net.URISyntaxException;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
+import static sonia.scm.api.v2.resources.DispatcherMock.createDispatcher;
 
 @SubjectAware(
+  username = "trillian",
+  password = "secret",
   configuration = "classpath:sonia/scm/repository/shiro.ini"
 )
 public class MeResourceTest {
@@ -34,8 +41,7 @@ public class MeResourceTest {
   @Rule
   public ShiroRule shiro = new ShiroRule();
 
-  private Dispatcher dispatcher = MockDispatcherFactory.createDispatcher();
-
+  private Dispatcher dispatcher;
 
   private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(URI.create("/"));
   @Mock
@@ -47,22 +53,28 @@ public class MeResourceTest {
   private UserManager userManager;
 
   @InjectMocks
-  private UserToUserDtoMapperImpl userToDtoMapper;
+  private MeToUserDtoMapperImpl userToDtoMapper;
 
   private ArgumentCaptor<User> userCaptor = ArgumentCaptor.forClass(User.class);
 
+  @Mock
+  private PasswordService passwordService;
+  private User originalUser;
+
   @Before
   public void prepareEnvironment() throws Exception {
     initMocks(this);
-    createDummyUser("trillian");
+    originalUser = createDummyUser("trillian");
     when(userManager.create(userCaptor.capture())).thenAnswer(invocation -> invocation.getArguments()[0]);
     doNothing().when(userManager).modify(userCaptor.capture());
     doNothing().when(userManager).delete(userCaptor.capture());
-    userToDtoMapper.setResourceLinks(resourceLinks);
-    MeResource meResource = new MeResource(userToDtoMapper, userManager);
-    dispatcher.getRegistry().addSingletonResource(meResource);
+    when(userManager.isTypeDefault(userCaptor.capture())).thenCallRealMethod();
+    when(userManager.getUserTypeChecker()).thenCallRealMethod();
+    when(userManager.getDefaultType()).thenReturn("xml");
+    MeResource meResource = new MeResource(userToDtoMapper, userManager, passwordService);
     when(uriInfo.getApiRestUri()).thenReturn(URI.create("/"));
     when(scmPathInfoStore.get()).thenReturn(uriInfo);
+    dispatcher = createDispatcher(meResource);
   }
 
   @Test
@@ -76,14 +88,77 @@ public class MeResourceTest {
 
     assertEquals(HttpServletResponse.SC_OK, response.getStatus());
     assertTrue(response.getContentAsString().contains("\"name\":\"trillian\""));
-    assertTrue(response.getContentAsString().contains("\"password\":\"__dummypassword__\""));
-    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/users/trillian\"}"));
+    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/me/\"}"));
     assertTrue(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/trillian\"}"));
   }
 
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldEncryptPasswordBeforeChanging() throws Exception {
+    String newPassword = "pwd123";
+    String encryptedNewPassword = "encrypted123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(eq(newPassword))).thenReturn(encryptedNewPassword);
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("secret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_NO_CONTENT, response.getStatus());
+    verify(userManager).modify(any(User.class));
+    User updatedUser = userCaptor.getValue();
+    assertEquals(encryptedNewPassword, updatedUser.getPassword());
+  }
+
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldGet400OnChangePasswordOfUserWithNonDefaultType() throws Exception {
+    originalUser.setType("not an xml type");
+    String newPassword = "pwd123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("secret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_BAD_REQUEST, response.getStatus());
+  }
+
+  @Test
+  @SubjectAware(username = "trillian", password = "secret")
+  public void shouldGet400OnChangePasswordIfOldPasswordDoesNotMatchOriginalPassword() throws Exception {
+    String newPassword = "pwd123";
+    String oldPassword = "notEncriptedSecret";
+    String content = String.format("{ \"oldPassword\": \"%s\" , \"newPassword\": \"%s\" }", oldPassword, newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + MeResource.ME_PATH_V2 + "password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+    when(passwordService.encryptPassword(eq(oldPassword))).thenReturn("differentThanSecret");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_BAD_REQUEST, response.getStatus());
+  }
+
+
   private User createDummyUser(String name) {
     User user = new User();
     user.setName(name);
+    user.setType("xml");
     user.setPassword("secret");
     user.setCreationDate(System.currentTimeMillis());
     when(userManager.get(name)).thenReturn(user);

scm-webapp/src/test/java/sonia/scm/api/v2/resources/MeToUserDtoMapperTest.java

@@ -0,0 +1,135 @@
+package sonia.scm.api.v2.resources;
+
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.support.SubjectThreadState;
+import org.apache.shiro.util.ThreadContext;
+import org.apache.shiro.util.ThreadState;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
+
+import java.net.URI;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+public class MeToUserDtoMapperTest {
+
+  private final URI baseUri = URI.create("http://example.com/base/");
+  @SuppressWarnings("unused") // Is injected
+  private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(baseUri);
+
+  @Mock
+  private UserManager userManager;
+
+  @InjectMocks
+  private MeToUserDtoMapperImpl mapper;
+
+  private final Subject subject = mock(Subject.class);
+  private final ThreadState subjectThreadState = new SubjectThreadState(subject);
+
+  private URI expectedBaseUri;
+  private URI expectedUserBaseUri;
+
+  @Before
+  public void init() {
+    initMocks(this);
+    when(userManager.getDefaultType()).thenReturn("xml");
+    expectedBaseUri = baseUri.resolve(MeResource.ME_PATH_V2 + "/");
+    expectedUserBaseUri = baseUri.resolve(UserRootResource.USERS_PATH_V2 + "/");
+    subjectThreadState.bind();
+    ThreadContext.bind(subject);
+  }
+
+  @After
+  public void unbindSubject() {
+    ThreadContext.unbindSubject();
+  }
+
+  @Test
+  public void shouldMapTheUpdateLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected update link", expectedUserBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("update").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertFalse("expected no update link", userDto.getLinks().getLinkBy("update").isPresent());
+  }
+
+  @Test
+  public void shouldMapTheSelfLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected self link", expectedBaseUri.toString(), userDto.getLinks().getLinkBy("self").get().getHref());
+
+  }
+
+  @Test
+  public void shouldMapTheDeleteLink() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:delete:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+    assertEquals("expected update link", expectedUserBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("delete").get().getHref());
+
+    when(subject.isPermitted("user:delete:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertFalse("expected no delete link", userDto.getLinks().getLinkBy("delete").isPresent());
+  }
+
+  @Test
+  public void shouldGetPasswordLinkOnlyForDefaultUserType() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+    when(userManager.isTypeDefault(eq(user))).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertEquals("expected password link with modify permission", expectedBaseUri.resolve("password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertEquals("expected password link on mission modify permission", expectedBaseUri.resolve("password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(userManager.isTypeDefault(eq(user))).thenReturn(false);
+
+    userDto = mapper.map(user);
+
+    assertFalse("expected no password link", userDto.getLinks().getLinkBy("password").isPresent());
+  }
+
+
+  @Test
+  public void shouldGetEmptyPasswordProperty() {
+    User user = createDefaultUser();
+    user.setPassword("myHighSecurePassword");
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertThat(userDto.getPassword()).as("hide password for the me resource").isBlank();
+  }
+
+  private User createDefaultUser() {
+    User user = new User();
+    user.setName("abc");
+    user.setCreationDate(1L);
+    return user;
+  }
+
+
+}

scm-webapp/src/test/java/sonia/scm/api/v2/resources/ResourceLinksMock.java

@@ -12,7 +12,9 @@ public class ResourceLinksMock {
     ScmPathInfo uriInfo = mock(ScmPathInfo.class);
     when(uriInfo.getApiRestUri()).thenReturn(baseUri);
 
-    when(resourceLinks.user()).thenReturn(new ResourceLinks.UserLinks(uriInfo));
+    ResourceLinks.UserLinks userLinks = new ResourceLinks.UserLinks(uriInfo);
+    when(resourceLinks.user()).thenReturn(userLinks);
+    when(resourceLinks.me()).thenReturn(new ResourceLinks.MeLinks(uriInfo,userLinks));
     when(resourceLinks.userCollection()).thenReturn(new ResourceLinks.UserCollectionLinks(uriInfo));
     when(resourceLinks.group()).thenReturn(new ResourceLinks.GroupLinks(uriInfo));
     when(resourceLinks.groupCollection()).thenReturn(new ResourceLinks.GroupCollectionLinks(uriInfo));

scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserDtoToUserMapperTest.java

@@ -23,18 +23,9 @@ public class UserDtoToUserMapperTest {
   @Test
   public void shouldMapFields() {
     UserDto dto = createDefaultDto();
-    User user = mapper.map(dto, "original password");
+    User user = mapper.map(dto, "used password");
     assertEquals("abc" , user.getName());
-  }
-
-  @Test
-  public void shouldEncodePassword() {
-    when(passwordService.encryptPassword("unencrypted")).thenReturn("encrypted");
-
-    UserDto dto = createDefaultDto();
-    dto.setPassword("unencrypted");
-    User user = mapper.map(dto, "original password");
-    assertEquals("encrypted" , user.getPassword());
+    assertEquals("used password" , user.getPassword());
   }
 
   @Before

scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserRootResourceTest.java

@@ -23,6 +23,7 @@ import javax.servlet.http.HttpServletResponse;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.text.MessageFormat;
 
 import static java.util.Collections.singletonList;
 import static org.junit.Assert.assertEquals;
@@ -61,21 +62,25 @@ public class UserRootResourceTest {
   private UserToUserDtoMapperImpl userToDtoMapper;
 
   private ArgumentCaptor<User> userCaptor = ArgumentCaptor.forClass(User.class);
+  private User originalUser;
 
   @Before
   public void prepareEnvironment() throws Exception {
     initMocks(this);
-    User dummyUser = createDummyUser("Neo");
+    originalUser = createDummyUser("Neo");
     when(userManager.create(userCaptor.capture())).thenAnswer(invocation -> invocation.getArguments()[0]);
+    when(userManager.isTypeDefault(userCaptor.capture())).thenCallRealMethod();
+    when(userManager.getUserTypeChecker()).thenCallRealMethod();
     doNothing().when(userManager).modify(userCaptor.capture());
     doNothing().when(userManager).delete(userCaptor.capture());
+    when(userManager.getDefaultType()).thenReturn("xml");
 
     UserCollectionToDtoMapper userCollectionToDtoMapper = new UserCollectionToDtoMapper(userToDtoMapper, resourceLinks);
     UserCollectionResource userCollectionResource = new UserCollectionResource(userManager, dtoToUserMapper,
-       userCollectionToDtoMapper, resourceLinks);
-    UserResource userResource = new UserResource(dtoToUserMapper, userToDtoMapper, userManager);
+      userCollectionToDtoMapper, resourceLinks, passwordService);
+    UserResource userResource = new UserResource(dtoToUserMapper, userToDtoMapper, userManager, passwordService);
     UserRootResource userRootResource = new UserRootResource(Providers.of(userCollectionResource),
-                                                             Providers.of(userResource));
+      Providers.of(userResource));
 
     dispatcher = createDispatcher(userRootResource);
   }
@@ -89,7 +94,6 @@ public class UserRootResourceTest {
 
     assertEquals(HttpServletResponse.SC_OK, response.getStatus());
     assertTrue(response.getContentAsString().contains("\"name\":\"Neo\""));
-    assertTrue(response.getContentAsString().contains("\"password\":\"__dummypassword__\""));
     assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/users/Neo\"}"));
     assertTrue(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/Neo\"}"));
   }
@@ -104,13 +108,48 @@ public class UserRootResourceTest {
 
     assertEquals(HttpServletResponse.SC_OK, response.getStatus());
     assertTrue(response.getContentAsString().contains("\"name\":\"Neo\""));
-    assertTrue(response.getContentAsString().contains("\"password\":\"__dummypassword__\""));
     assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/users/Neo\"}"));
     assertFalse(response.getContentAsString().contains("\"delete\":{\"href\":\"/v2/users/Neo\"}"));
   }
 
   @Test
-  public void shouldCreateNewUserWithEncryptedPassword() throws Exception {
+  public void shouldEncryptPasswordBeforeChanging() throws Exception {
+    String newPassword = "pwd123";
+    String content = String.format("{\"newPassword\": \"%s\"}", newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_NO_CONTENT, response.getStatus());
+    verify(userManager).modify(any(User.class));
+    User updatedUser = userCaptor.getValue();
+    assertEquals("encrypted123", updatedUser.getPassword());
+  }
+
+  @Test
+  public void shouldGet400OnChangePasswordOfUserWithNonDefaultType() throws Exception {
+    originalUser.setType("not an xml type");
+    String newPassword = "pwd123";
+    String content = String.format("{\"newPassword\": \"%s\"}", newPassword);
+    MockHttpRequest request = MockHttpRequest
+      .put("/" + UserRootResource.USERS_PATH_V2 + "Neo/password")
+      .contentType(VndMediaType.PASSWORD_CHANGE)
+      .content(content.getBytes());
+    MockHttpResponse response = new MockHttpResponse();
+    when(passwordService.encryptPassword(newPassword)).thenReturn("encrypted123");
+
+    dispatcher.invoke(request, response);
+
+    assertEquals(HttpServletResponse.SC_BAD_REQUEST, response.getStatus());
+  }
+
+  @Test
+  public void shouldEncryptPasswordBeforeCreatingUser() throws Exception {
     URL url = Resources.getResource("sonia/scm/api/v2/user-test-create.json");
     byte[] userJson = Resources.toByteArray(url);
 
@@ -130,7 +169,7 @@ public class UserRootResourceTest {
   }
 
   @Test
-  public void shouldUpdateChangedUserWithEncryptedPassword() throws Exception {
+  public void shouldIgnoreGivenPasswordOnUpdatingUser() throws Exception {
     URL url = Resources.getResource("sonia/scm/api/v2/user-test-update.json");
     byte[] userJson = Resources.toByteArray(url);
 
@@ -139,14 +178,13 @@ public class UserRootResourceTest {
       .contentType(VndMediaType.USER)
       .content(userJson);
     MockHttpResponse response = new MockHttpResponse();
-    when(passwordService.encryptPassword("pwd123")).thenReturn("encrypted123");
 
     dispatcher.invoke(request, response);
 
     assertEquals(HttpServletResponse.SC_NO_CONTENT, response.getStatus());
     verify(userManager).modify(any(User.class));
     User updatedUser = userCaptor.getValue();
-    assertEquals("encrypted123", updatedUser.getPassword());
+    assertEquals(originalUser.getPassword(), updatedUser.getPassword());
   }
 
   @Test
@@ -154,7 +192,7 @@ public class UserRootResourceTest {
     MockHttpRequest request = MockHttpRequest
       .post("/" + UserRootResource.USERS_PATH_V2)
       .contentType(VndMediaType.USER)
-      .content(new byte[] {});
+      .content(new byte[]{});
     MockHttpResponse response = new MockHttpResponse();
     when(passwordService.encryptPassword("pwd123")).thenReturn("encrypted123");
 
@@ -265,6 +303,7 @@ public class UserRootResourceTest {
   private User createDummyUser(String name) {
     User user = new User();
     user.setName(name);
+    user.setType("xml");
     user.setPassword("redpill");
     user.setCreationDate(System.currentTimeMillis());
     when(userManager.get(name)).thenReturn(user);

scm-webapp/src/test/java/sonia/scm/api/v2/resources/UserToUserDtoMapperTest.java

@@ -8,14 +8,17 @@ import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.InjectMocks;
-import sonia.scm.api.rest.resources.UserResource;
+import org.mockito.Mock;
 import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
 
 import java.net.URI;
 import java.time.Instant;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
@@ -26,6 +29,9 @@ public class UserToUserDtoMapperTest {
   @SuppressWarnings("unused") // Is injected
   private final ResourceLinks resourceLinks = ResourceLinksMock.createMock(baseUri);
 
+  @Mock
+  private UserManager userManager;
+
   @InjectMocks
   private UserToUserDtoMapperImpl mapper;
 
@@ -37,6 +43,7 @@ public class UserToUserDtoMapperTest {
   @Before
   public void init() {
     initMocks(this);
+    when(userManager.getDefaultType()).thenReturn("xml");
     expectedBaseUri = baseUri.resolve(UserRootResource.USERS_PATH_V2 + "/");
     subjectThreadState.bind();
     ThreadContext.bind(subject);
@@ -53,11 +60,42 @@ public class UserToUserDtoMapperTest {
     when(subject.isPermitted("user:modify:abc")).thenReturn(true);
 
     UserDto userDto = mapper.map(user);
-
-    assertEquals("expected self link",   expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("self").get().getHref());
+    assertEquals("expected self link", expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("self").get().getHref());
     assertEquals("expected update link", expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("update").get().getHref());
   }
 
+  @Test
+  public void shouldGetPasswordLinkOnlyForDefaultUserType() {
+    User user = createDefaultUser();
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+    when(userManager.isTypeDefault(eq(user))).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertEquals("expected password link with modify permission", expectedBaseUri.resolve("abc/password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(subject.isPermitted("user:modify:abc")).thenReturn(false);
+    userDto = mapper.map(user);
+    assertEquals("expected password link on mission modify permission", expectedBaseUri.resolve("abc/password").toString(), userDto.getLinks().getLinkBy("password").get().getHref());
+
+    when(userManager.isTypeDefault(eq(user))).thenReturn(false);
+
+    userDto = mapper.map(user);
+
+    assertFalse("expected no password link", userDto.getLinks().getLinkBy("password").isPresent());
+  }
+
+  @Test
+  public void shouldGetEmptyPasswordProperty() {
+    User user = createDefaultUser();
+    user.setPassword("myHighSecurePassword");
+    when(subject.isPermitted("user:modify:abc")).thenReturn(true);
+
+    UserDto userDto = mapper.map(user);
+
+    assertThat(userDto.getPassword()).isBlank();
+  }
+
   @Test
   public void shouldMapLinks_forDelete() {
     User user = createDefaultUser();
@@ -65,7 +103,7 @@ public class UserToUserDtoMapperTest {
 
     UserDto userDto = mapper.map(user);
 
-    assertEquals("expected self link",   expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("self").get().getHref());
+    assertEquals("expected self link", expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("self").get().getHref());
     assertEquals("expected delete link", expectedBaseUri.resolve("abc").toString(), userDto.getLinks().getLinkBy("delete").get().getHref());
   }
 
@@ -97,16 +135,6 @@ public class UserToUserDtoMapperTest {
     assertEquals("abc", userDto.getName());
   }
 
-  @Test
-  public void shouldRemovePassword() {
-    User user = createDefaultUser();
-    user.setPassword("password");
-
-    UserDto userDto = mapper.map(user);
-
-    assertEquals(UserResource.DUMMY_PASSWORT, userDto.getPassword());
-  }
-
   @Test
   public void shouldMapTimes() {
     User user = createDefaultUser();