• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3593: Can't reset password when user is not in TWikiUsers

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   minor  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

I have a strange error on twiki.org running 4.1.1. User TWiki:Main/WhyeWong has a valid user account (topic exists, .htpasswd entry exists and looks OK), and he reports that he can't reset his password. Indeed, when I try at TWiki:TWiki04x01/ResetPassword I get message " Password reset failed. Can't find user WhyeWong". Looking at the code, it is produced at one location in TWiki/UI/Register.pm:

# return status
sub _resetUsersPassword {
    my( $session, $userName, $introduction, $pMess ) = @_;

    my $user = $session->{users}->findUser( $userName, undef, 1);
    unless( $user ) {
        # couldn't work out who they are, its neither loginName nor
        # wikiName.
        $$pMess .= $session->inlineAlert( 'alerts', 'bad_user', $userName );
        return 0;
    }

    my $message = '';
    unless( $user->passwordExists() ) {
#etc.

I tried to reset my password and it works OK! Puzzled about this bug.

-- TWiki:Main/PeterThoeny - 10 Feb 2007

His entry is in TWikiUsersUtoZ and not TWikiUsers. How is that supposed to work anyway?

-- TWiki:Main.KennethLavrsen - 10 Feb 2007

Same with my user name, and reset password works for me. Since when is it required that users are listed in TWikiUsers topic for password reset?

-- TWiki:Main.PeterThoeny - 10 Feb 2007

I did not say it is required. I just proposed a possible cause. I still do not understand how it works on TWiki.org because as far as I can see the user mapping code creates a hash table from the TWikiUsers topic when finding users. But that is mainly for linking login name to wikiname. And we do not use that on twiki.org.

-- TWiki:Main.KennethLavrsen - 10 Feb 2007

I got another report, same issue. This should be fixed. There is no reason why users need to be listed in TWikiUsers to reset a password.

-- TWiki:Main.PeterThoeny - 28 Feb 2007

You mean that IF you have a password manager using the .htaccess file with emails it should look there instead?

Currently the TWikiUsers topic is the only common to any password method place where we can make sure that a user is a registered user. We cannot trust a topic present in Main web to be a valid registered user.

-- TWiki:Main.KennethLavrsen - 28 Feb 2007

Possible duplicate of Item3400? (Being authenticated or not while trying to reset the password made a difference then, same situation here?)

-- TWiki:Main.SteffenPoulsen - 28 Feb 2007

Yes, we need to make a distinction:

1. TWiki internal accounts, tracked in .htpasswd:

The most logical entity to check if a user exists is the entry in the .htpasswd. That way it is also easy to block bogus accounts (which was possible in Cairo and is no longer possible since Dakar, giving me more maintenance work on twiki.org.) There are actually several states:

  • User does not exist in .htaccess and has no homepage (not registered) --> can register, cannot reset/change password
  • User does not exist in .htaccess, but has a homepage (inconsistent registration) --> cannot register (admin intervention required), cannot reset/change password
  • User exists in .htaccess, but has no homepage (inconsistent registration) --> cannot register (admin intervention required), can reset/change password
  • User exists in .htaccess and has homepage (registered) --> cannot register again, can reset/change password

2. Accounts external to TWiki, e.g. in LDAP directory:

The most logical entity to check if a user exists is to ask the external directory. There are actually three states:

  • User does not exist in external directory
  • User exists in external directory, but has no TWiki homepage (not registered)
  • User exists in external directory, and has a TWiki homepage (is registered)

In either case, the TWikiUsers topic entry is only needed if mapping from login name to wikiname is enabled/used.

-- TWiki:Main.PeterThoeny - 01 Mar 2007

I understand what you are trying to do, but you are proposing making the code horrendously overcomplex.

There are two modules involved (now); the password manager and the user mapping manager. These correspond to what you call .htpasswd and "user topic" / TWikiUsers above. The existence check for a user asks the password manager if a user exists. The default user mapping manager doesn't have a user existence check; it simply maps login names and wikinames to canonical user IDs and back.

A user can register IFF they do not already exist i.e. they do not have an entry in .htpasswd. If they already have an entry, they cannot register. However they can reset their password. It's up to the password manager whether that password reset is authorised or not; the user mapping manager is not involved, and should not be involved.

I'm fairly sure that TWiki (next version) meets your requirements. It blocks user registration if a user pre-exists in the user database. It doesn't block password reset at all, for any user by any user (reset passwords are mailed to the registered email address, and the registered email address can only be changed if you have a valid password). I believe this meets your requirements for t.o. - if not, please clarify what you require.

CC

Correction: TWiki 4.1.x allows registration of users that already have a .htpasswd entry. Which is a pain for spam fighting. Up to Cairo I added many entries in .htpasswd to block obvious bogus names, such as AbcUser:xxxxxxxxxxxxx:peter@thoeny.org, however since TWiki 4 this is no longer a protection.

I am reopening this bug. It is a real bug. We can close it if the new code fixes the issue.

-- TWiki:Main.PeterThoeny - 07 May 2007

OK, that's fine; I'm setting it as waiting for feedback from TWiki.org, then

CC

This bug report is not waiting for twiki.org

It is now plain and simply that a person cannot reset his password unless he is found in TWikiUsers

When Sven is done with his code we can confirm that this is no longer the case and close this bug.

We could also try now but I do not want to waste time testing code that I have not been told is finished.

The test is simple. In a normal TWiki using .htpasswd and no mapping from login to WikiName, register a user, remove the entry from the TWikiUsers topic and confirm that the password can be reset.

KJL

Duplicate of Item3400

CC

ItemTemplate
Summary Can't reset password when user is not in TWikiUsers
ReportedBy TWiki:Main.PeterThoeny
Codebase 4.1.1
SVN Range TWiki-4.1.1, Fri, 09 Feb 2007, build 12817
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins

TargetRelease minor
ReleasedIn

Edit | Attach | Watch | Print version | History: r13 < r12 < r11 < r10 < r9 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r13 - 2007-05-28 - TWikiUserMapping_CrawfordCurrie
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback