From db316b59c5fd3b92ee4d3c81b956f22868677b02 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 9 Dec 2021 09:39:37 +0100
Subject: [PATCH] stages/prompt: use policyenginemode all

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/stages/prompt/stage.py         | 3 ++-
 website/docs/flow/stages/prompt/index.md | 2 ++
 website/docs/releases/v2021.12.md        | 6 +++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/authentik/stages/prompt/stage.py b/authentik/stages/prompt/stage.py
index 4b23d5f18..437d5cf01 100644
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@@ -18,7 +18,7 @@ from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTyp
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.stage import ChallengeStageView
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.models import PolicyBinding, PolicyBindingModel
+from authentik.policies.models import PolicyBinding, PolicyBindingModel, PolicyEngineMode
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.prompt.signals import password_validate
 
@@ -110,6 +110,7 @@ class PromptChallengeResponse(ChallengeResponse):
 
         user = self.plan.context.get(PLAN_CONTEXT_PENDING_USER, get_anonymous_user())
         engine = ListPolicyEngine(self.stage.validation_policies.all(), user, self.request)
+        engine.mode = PolicyEngineMode.MODE_ALL
         engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
         engine.request.context.update(attrs)
         engine.build()
diff --git a/website/docs/flow/stages/prompt/index.md b/website/docs/flow/stages/prompt/index.md
index 7ce8932d8..105e67ea4 100644
--- a/website/docs/flow/stages/prompt/index.md
+++ b/website/docs/flow/stages/prompt/index.md
@@ -60,3 +60,5 @@ return False
 This policy expects you to have two password fields with `field_key` set to `password` and `password_repeat`.
 
 Afterwards, bind this policy to the prompt stage you want to validate.
+
+Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid.
diff --git a/website/docs/releases/v2021.12.md b/website/docs/releases/v2021.12.md
index a2556c349..56642ee99 100644
--- a/website/docs/releases/v2021.12.md
+++ b/website/docs/releases/v2021.12.md
@@ -3,10 +3,14 @@ title: Release 2021.12
 slug: "2021.12"
 ---
 
-## Headline Changes
+## Headline changes
 
 This release does not have any headline features, and mostly fixes bugs.
 
+## Breaking changes
+
+- stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid.
+
 ## Minor changes
 
 - core: make defaults for _change_email and _change_username configurable