• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item3902: Reset Password is broken in MAIN branch
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Urgent | Closed | minor |
Edit Form Data
Detail
Reset Password is broken
When you try and reset a users password, the browser receives nothing in return.
And there is nothing in the Apache error log.
But the password is reset and the reset email is sent.
The browser gets redirected to http://merlin.lavrsen.dk/twiki/bin/passwd/Main/WebHome
on my test server.
In the Patch branch you are redirected to an oops page with a message.
-- TWiki:Main/KennethLavrsen - 15 Apr 2007
Reset password has a different behaviour when resetting from Firefox. In IE I get nothing.
In FF I get
- 15 Apr 2007
Yes. But this is not related to that refactoring. It's due to the error messages from mail sending being routed back to the user, which didn't happen previously.
-- TWiki:Main.CrawfordCurrie - 15 Apr 2007
OK, it handles a mail-send failure more cleanly now. I can't debug why the mailer reported an error when the mail was actually sent, though.
CC
It is still not working.
Try with a user that has something in the email field in his user topic.
After passwords have been moved to .htpasswd this field should be ignored. People now use it to put their email address if they want to show it anyway and then they normally pad it in all sorts of ways. In my test I have the text (hidden) in the field.
When I manually upgrade old user topics (Cairo style) to the new template I always write (hidden) in the field. With a valid email address in .htpasswd this should not cause any problems.
-- TWiki:Main.KennethLavrsen - 15 Apr 2007
HORROR!
The problem is this.
Instead of picking the password from .htpasswd - it picks it from the user topic.
If the email address is invalid the code seems to try with the email address from .htpasswd.
This is very bad. It must always start with the .htpasswd. Otherwise we have a major security issue. You can now simply edit an other users user topic, put your a temporary discardable email address in the form, and reset the password. And BAM. You have taken over this users identity and can edit the topics that are otherwise restricted.
-- TWiki:Main.KennethLavrsen - 15 Apr 2007
If an email address for a user isn't specified in the password manager (e.g. you have PasswordManager set to none) then it has to fall back to recovering the email from the user mapper. Currently it drags addresses from both. I had originally coded it so it ignores the user mapper if the password manager is defined. Of course this is why :-/
I debated adding an "isManagingEmails" API to the password manager. I see that I have to.
BTW you say "if the email address is invalid". Do you mean if it fails to send mail to that address? Or if it simply doesn't exist?
-- TWiki:Main.CrawfordCurrie - 15 Apr 2007
OK, I think it's right now. Please test, your feedback is essential!
CC
Ken, I moved your additional report to Item2632, which is what it relates to.
CC
on my test server.
In the Patch branch you are redirected to an oops page with a message.
-- TWiki:Main/KennethLavrsen - 15 Apr 2007
Reset password has a different behaviour when resetting from Firefox. In IE I get nothing.
In FF I get
ERROR
Can't send mail using Net::SMTP. 5.0.0 <(Hidden)>... User address required at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 314
CGI::Carp::realdie('ERROR
Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 385
CGI::Carp::die('ERROR
Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 429 TWiki::Net::_sendEmailByNetSMTP('TWiki::Net=HASH(0x957969c)', 'Date: Sun, 15 Apr 2007 09:27:46 GMT\x{a}From: TWiki Administrator...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 307 TWiki::Net::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x9211074)', 'HASH(0x993b984)') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 323 TWiki::Net::sendEmail('TWiki::Net=HASH(0x957969c)', 'From: TWiki Administrator <kenneth.lavrsen@mail.dk>\x{a}To: Diane...') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 1085 TWiki::UI::Register::_sendEmail('TWiki=HASH(0x8d6ef2c)', 'mailresetpassword', 'HASH(0x9211464)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 538 TWiki::UI::Register::_resetUsersPassword('TWiki=HASH(0x8d6ef2c)', 'DianeChayer', '', 'SCALAR(0x9535fa8)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 479 TWiki::UI::Register::resetPassword('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 146 TWiki::UI::Register::passwd_cgi('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 160 TWiki::UI::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x8d57d10)', 'HASH(0x920e350)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 198 TWiki::UI::run('CODE(0x94eee8c)') called
Too many failures sending mail %PARAM2% %PARAM3% %PARAM4%
A new system-generated password for your login name DianeChayer (WikiName DianeChayer) has been sent to your registered e-mail address. If your e-mail address is no longer valid, please contact kenneth.lavrsen@mail.dk
Users with automatically generated passwords should proceed immediately to change password to change their password to something memorable.
And guess what. The email is actually sent.
Was the reset email feature tested at all after all the user refactoring?
-- TWiki:Main.KennethLavrsen - 15 Apr 2007
Yes. But this is not related to that refactoring. It's due to the error messages from mail sending being routed back to the user, which didn't happen previously.
-- TWiki:Main.CrawfordCurrie - 15 Apr 2007
OK, it handles a mail-send failure more cleanly now. I can't debug why the mailer reported an error when the mail was actually sent, though.
CC
It is still not working.
Try with a user that has something in the email field in his user topic.
After passwords have been moved to .htpasswd this field should be ignored. People now use it to put their email address if they want to show it anyway and then they normally pad it in all sorts of ways. In my test I have the text (hidden) in the field.
When I manually upgrade old user topics (Cairo style) to the new template I always write (hidden) in the field. With a valid email address in .htpasswd this should not cause any problems.
-- TWiki:Main.KennethLavrsen - 15 Apr 2007
HORROR!
The problem is this.
Instead of picking the password from .htpasswd - it picks it from the user topic.
If the email address is invalid the code seems to try with the email address from .htpasswd.
This is very bad. It must always start with the .htpasswd. Otherwise we have a major security issue. You can now simply edit an other users user topic, put your a temporary discardable email address in the form, and reset the password. And BAM. You have taken over this users identity and can edit the topics that are otherwise restricted.
-- TWiki:Main.KennethLavrsen - 15 Apr 2007
If an email address for a user isn't specified in the password manager (e.g. you have PasswordManager set to none) then it has to fall back to recovering the email from the user mapper. Currently it drags addresses from both. I had originally coded it so it ignores the user mapper if the password manager is defined. Of course this is why :-/
I debated adding an "isManagingEmails" API to the password manager. I see that I have to.
BTW you say "if the email address is invalid". Do you mean if it fails to send mail to that address? Or if it simply doesn't exist?
-- TWiki:Main.CrawfordCurrie - 15 Apr 2007
OK, I think it's right now. Please test, your feedback is essential!
CC
Ken, I moved your additional report to Item2632, which is what it relates to.
CC
| ItemTemplate | |
|---|---|
| Summary | Reset Password is broken in MAIN branch |
| ReportedBy |
TWiki:Main.KennethLavrsen
|
| Codebase | |
| SVN Range | TWiki-4.1.2, Sat, 14 Apr 2007, build 13397 |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | Closed |
| WaitingFor | |
| Checkins |
TWikirev:13416 TWikirev:13419 TWikirev:13420 TWikirev:13421 TWikirev:13425
|
| TargetRelease | minor |
| ReleasedIn | |
Topic revision: r18 - 2008-01-22 - KennethLavrsen
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback