Return m.change_password.enabled=false if local database is disabled

changelog.d/9588.bugfix

@@ -0,0 +1 @@
+Return `m.change_password` `enabled:false` if local database not used for authentication.

synapse/handlers/auth.py

@@ -215,6 +215,10 @@ def __init__(self, hs: "HomeServer"):
         self._password_enabled = hs.config.password_enabled
         self._password_localdb_enabled = hs.config.password_localdb_enabled
 
+        self._change_password = (
+            self._password_enabled and self._password_localdb_enabled
+        )
+
         # start out by assuming PASSWORD is enabled; we will remove it later if not.
         login_types = set()
         if self._password_localdb_enabled:
@@ -885,6 +889,18 @@ async def _find_user_id_and_pwd_hash(
             )
         return result
 
+    def get_allow_change_password(self) -> bool:
+        """Get status if users on this server are allowed to change or set a password.
+        Both `config.password_enabled` and `config.password_localdb_enabled`
+        must be true.
+        It is allowed that people add a password to their account even if they created
+        that account with SSO if it is not explicitly prohibited.
+
+        Returns:
+            Whether users on this server are allowed to change or set a password
+        """
+        return self._change_password
+
     def get_supported_login_types(self) -> Iterable[str]:
         """Get a the login types supported for the /login API
 

synapse/rest/client/v2_alpha/capabilities.py

@@ -13,12 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
+from typing import TYPE_CHECKING, Tuple
 
 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
 from synapse.http.servlet import RestServlet
+from synapse.http.site import SynapseRequest
+from synapse.types import JsonDict
 
 from ._base import client_patterns
 
+if TYPE_CHECKING:
+    from synapse.server import HomeServer
+
 logger = logging.getLogger(__name__)
 
 
@@ -27,21 +33,16 @@ class CapabilitiesRestServlet(RestServlet):
 
     PATTERNS = client_patterns("/capabilities$")
 
-    def __init__(self, hs):
-        """
-        Args:
-            hs (synapse.server.HomeServer): server
-        """
+    def __init__(self, hs: "HomeServer"):
         super().__init__()
         self.hs = hs
         self.config = hs.config
         self.auth = hs.get_auth()
-        self.store = hs.get_datastore()
+        self.auth_handler = hs.get_auth_handler()
 
-    async def on_GET(self, request):
-        requester = await self.auth.get_user_by_req(request, allow_guest=True)
-        user = await self.store.get_user_by_id(requester.user.to_string())
-        change_password = bool(user["password_hash"])
+    async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
+        await self.auth.get_user_by_req(request, allow_guest=True)
+        change_password = self.auth_handler.get_allow_change_password()
 
         response = {
             "capabilities": {
@@ -58,5 +59,5 @@ async def on_GET(self, request):
         return 200, response
 
 
-def register_servlets(hs, http_server):
+def register_servlets(hs: "HomeServer", http_server):
     CapabilitiesRestServlet(hs).register(http_server)

tests/rest/client/v2_alpha/test_capabilities.py

@@ -66,12 +66,4 @@ def test_get_change_password_capabilities(self):
         capabilities = channel.json_body["capabilities"]
 
         self.assertEqual(channel.code, 200)
-
-        # Test case where password is handled outside of Synapse
         self.assertTrue(capabilities["m.change_password"]["enabled"])
-        self.get_success(self.store.user_set_password_hash(user, None))
-        channel = self.make_request("GET", self.url, access_token=access_token)
-        capabilities = channel.json_body["capabilities"]
-
-        self.assertEqual(channel.code, 200)
-        self.assertFalse(capabilities["m.change_password"]["enabled"])