PRO-4544 User settings group and password change

[myovchev]

Summary

• Allow configurable "protected" subforms
• Handle change password form
• Implement subform groups (tabbed navigation)
• Allow configurable reload and state restore after subform save

What are the specific steps to test this change?

Use Testbed branch feature-user-settings, link Apostrophe locally while in the current branch. Boot the app, force rebuild (CI=1 APOS_DEV=1 npx nodemon)

Requirements for Phase 1 and 2 should pass.

What kind of change does this PR introduce?

(Check at least one)

• Bug fix
• New feature
• Refactor
• Documentation
• Build-related changes
• Other

Make sure the PR fulfills these requirements:

• It includes a) the existing issue ID being resolved, b) a convincing reason for adding this feature, or c) a clear description of the bug it resolves
• The changelog is updated
• Related documentation has been updated
• Related tests have been updated

[linear]

PRO-4544 As a user, I can update my password when logged in (requires implementation of User Setting groups).

This requires the implementation of User Setting groups.

In the User Settings, which we started as a way to accommodate the need to allow users to set their admin UI language, we would like to add other settings moving forward. One of them is password.

image.png

image.png

image.png

image.png

Sketch

https://www.sketch.com/s/fbfcda4a-08a4-4c8d-ab88-fdad7532217e/p/2AFAAA0B-E913-41CE-B118-301ADC54CB63/canvas

Tech Design

• Remove the restriction on the password field in settings.
• Implement a custom schema field type which uses a nested schema to require the old password, and also two matching new password fields.
• Automatically use this alternate field type when password is the field name.
• The front end should help the user determine that the new password fields match, however the old password should NOT be checked yet (see below).
• When valid the field emits { newPassword, oldPassword } as its value.
• When "Update" is clicked the backend API should spot the password field and handle checking oldPassword (see self.apos.user.verifyPassword) before updating the password property to newPassword and calling convert and update normally. If the password validation fails a forbidden error should be thrown with an "incorrect password" message.
• The front end should recognize this specific error and flag password as the invalid field.

Acceptance Criteria

• When I open Settings I see a new row for Password (see screen 1) and when I click on that entire row, I then see three fields for setting my password: Current password, New Password, Verify New Password
• I fill in the first one with my current password, and the second two fields for my new password have to match.
• I click Submit and that saves my new passwords, and I see "Updated!" letting me know it's been saved.

[boutell]

Great stuff, but I did ask to change "protected" to "protection" because it will resolve a lot of confusion when reading the source (even for me).