From 2238f74ac2fc436b0cd53af2354cd12e9627ab87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?=
 <jan.christian@gruenhage.xyz>
Date: Fri, 3 Jun 2022 10:45:42 +0200
Subject: [PATCH] Allow updating passwords using the admin api without logging
 out devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan Christian Grünhage <jan.christian@gruenhage.xyz>
---
 docs/admin_api/user_admin_api.md | 4 +++-
 synapse/rest/admin/users.py      | 8 +++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/admin_api/user_admin_api.md b/docs/admin_api/user_admin_api.md
index c8794299e790..62f89e8cba67 100644
--- a/docs/admin_api/user_admin_api.md
+++ b/docs/admin_api/user_admin_api.md
@@ -115,7 +115,9 @@ URL parameters:
 Body parameters:
 
 - `password` - string, optional. If provided, the user's password is updated and all
-  devices are logged out.
+  devices are logged out, unless `logout_devices` is set to `false`.
+- `logout_devices` - bool, optional, defaults to `true`. If set to false, devices aren't
+  logged out even when `password` is provided.
 - `displayname` - string, optional, defaults to the value of `user_id`.
 - `threepids` - array, optional, allows setting the third-party IDs (email, msisdn)
   - `medium` - string. Kind of third-party ID, either `email` or `msisdn`.
diff --git a/synapse/rest/admin/users.py b/synapse/rest/admin/users.py
index 8e29ada8a07c..f0614a28976d 100644
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@@ -226,6 +226,13 @@ async def on_PUT(
             if not isinstance(password, str) or len(password) > 512:
                 raise SynapseError(HTTPStatus.BAD_REQUEST, "Invalid password")
 
+        logout_devices = body.get("logout_devices", True)
+        if not isinstance(logout_devices, bool):
+            raise SynapseError(
+                HTTPStatus.BAD_REQUEST,
+                "'logout_devices' parameter is not of type boolean",
+            )
+
         deactivate = body.get("deactivated", False)
         if not isinstance(deactivate, bool):
             raise SynapseError(
@@ -305,7 +312,6 @@ async def on_PUT(
                     await self.store.set_server_admin(target_user, set_admin_to)
 
             if password is not None:
-                logout_devices = True
                 new_password_hash = await self.auth_handler.hash(password)
 
                 await self.set_password_handler.set_password(