• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3902: Reset Password is broken in MAIN branch

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   minor  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Reset Password is broken

When you try and reset a users password, the browser receives nothing in return.

And there is nothing in the Apache error log.

But the password is reset and the reset email is sent.

The browser gets redirected to http://merlin.lavrsen.dk/twiki/bin/passwd/Main/WebHome on my test server.

In the Patch branch you are redirected to an oops page with a message.

-- TWiki:Main/KennethLavrsen - 15 Apr 2007

Reset password has a different behaviour when resetting from Firefox. In IE I get nothing.

In FF I get



            ERROR
                Can't send mail using Net::SMTP. 5.0.0 <(Hidden)>... User address required at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 314 

CGI::Carp::realdie('ERROR
    Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 385 
CGI::Carp::die('ERROR
    Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 429 TWiki::Net::_sendEmailByNetSMTP('TWiki::Net=HASH(0x957969c)', 'Date: Sun, 15 Apr 2007 09:27:46 GMT\x{a}From: TWiki Administrator...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 307 TWiki::Net::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x9211074)', 'HASH(0x993b984)') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 323 TWiki::Net::sendEmail('TWiki::Net=HASH(0x957969c)', 'From: TWiki Administrator <kenneth.lavrsen@mail.dk>\x{a}To: Diane...') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 1085 TWiki::UI::Register::_sendEmail('TWiki=HASH(0x8d6ef2c)', 'mailresetpassword', 'HASH(0x9211464)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 538 TWiki::UI::Register::_resetUsersPassword('TWiki=HASH(0x8d6ef2c)', 'DianeChayer', '', 'SCALAR(0x9535fa8)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 479 TWiki::UI::Register::resetPassword('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 146 TWiki::UI::Register::passwd_cgi('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 160 TWiki::UI::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x8d57d10)', 'HASH(0x920e350)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 198 TWiki::UI::run('CODE(0x94eee8c)') called 

Too many failures sending mail %PARAM2% %PARAM3% %PARAM4%

A new system-generated password for your login name DianeChayer (WikiName DianeChayer) has been sent to your registered e-mail address. If your e-mail address is no longer valid, please contact kenneth.lavrsen@mail.dk

Users with automatically generated passwords should proceed immediately to change password to change their password to something memorable. 

And guess what. The email is actually sent.

Was the reset email feature tested at all after all the user refactoring?

-- TWiki:Main.KennethLavrsen - 15 Apr 2007

Yes. But this is not related to that refactoring. It's due to the error messages from mail sending being routed back to the user, which didn't happen previously.

-- TWiki:Main.CrawfordCurrie - 15 Apr 2007

OK, it handles a mail-send failure more cleanly now. I can't debug why the mailer reported an error when the mail was actually sent, though.

CC

It is still not working.

Try with a user that has something in the email field in his user topic.

After passwords have been moved to .htpasswd this field should be ignored. People now use it to put their email address if they want to show it anyway and then they normally pad it in all sorts of ways. In my test I have the text (hidden) in the field.

When I manually upgrade old user topics (Cairo style) to the new template I always write (hidden) in the field. With a valid email address in .htpasswd this should not cause any problems.

-- TWiki:Main.KennethLavrsen - 15 Apr 2007

HORROR!

The problem is this.

Instead of picking the password from .htpasswd - it picks it from the user topic.

If the email address is invalid the code seems to try with the email address from .htpasswd.

This is very bad. It must always start with the .htpasswd. Otherwise we have a major security issue. You can now simply edit an other users user topic, put your a temporary discardable email address in the form, and reset the password. And BAM. You have taken over this users identity and can edit the topics that are otherwise restricted.

-- TWiki:Main.KennethLavrsen - 15 Apr 2007

If an email address for a user isn't specified in the password manager (e.g. you have PasswordManager set to none) then it has to fall back to recovering the email from the user mapper. Currently it drags addresses from both. I had originally coded it so it ignores the user mapper if the password manager is defined. Of course this is why :-/

I debated adding an "isManagingEmails" API to the password manager. I see that I have to.

BTW you say "if the email address is invalid". Do you mean if it fails to send mail to that address? Or if it simply doesn't exist?

-- TWiki:Main.CrawfordCurrie - 15 Apr 2007

OK, I think it's right now. Please test, your feedback is essential!

CC

Ken, I moved your additional report to Item2632, which is what it relates to.

CC

ItemTemplate
Summary Reset Password is broken in MAIN branch
ReportedBy TWiki:Main.KennethLavrsen
Codebase

SVN Range TWiki-4.1.2, Sat, 14 Apr 2007, build 13397
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:13416 TWikirev:13419 TWikirev:13420 TWikirev:13421 TWikirev:13425
TargetRelease minor
ReleasedIn

Edit | Attach | Watch | Print version | History: r18 < r17 < r16 < r15 < r14 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r18 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback