Reset Password is broken
When you try and reset a users password, the browser receives nothing in return.
And there is nothing in the Apache error log.
But the password is reset and the reset email is sent.
The browser gets redirected to
http://merlin.lavrsen.dk/twiki/bin/passwd/Main/WebHome
on my test server.
In the Patch branch you are redirected to an oops page with a message.
--
TWiki:Main/KennethLavrsen
- 15 Apr 2007
Reset password has a different behaviour when resetting from Firefox. In IE I get nothing.
In FF I get
ERROR
Can't send mail using Net::SMTP. 5.0.0 <(Hidden)>... User address required at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 314
CGI::Carp::realdie('ERROR
Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/lib/perl5/5.8.6/CGI/Carp.pm line 385
CGI::Carp::die('ERROR
Can\'t send mail using Net::SMTP. 5.0.0 <(Hidden)>... ...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 429 TWiki::Net::_sendEmailByNetSMTP('TWiki::Net=HASH(0x957969c)', 'Date: Sun, 15 Apr 2007 09:27:46 GMT\x{a}From: TWiki Administrator...') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 307 TWiki::Net::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x9211074)', 'HASH(0x993b984)') called at /usr/local/apache2/twiki/lib/TWiki/Net.pm line 323 TWiki::Net::sendEmail('TWiki::Net=HASH(0x957969c)', 'From: TWiki Administrator <kenneth.lavrsen@mail.dk>\x{a}To: Diane...') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 1085 TWiki::UI::Register::_sendEmail('TWiki=HASH(0x8d6ef2c)', 'mailresetpassword', 'HASH(0x9211464)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 538 TWiki::UI::Register::_resetUsersPassword('TWiki=HASH(0x8d6ef2c)', 'DianeChayer', '', 'SCALAR(0x9535fa8)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 479 TWiki::UI::Register::resetPassword('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI/Register.pm line 146 TWiki::UI::Register::passwd_cgi('TWiki=HASH(0x8d6ef2c)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 160 TWiki::UI::__ANON__() called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 379 eval {...} called at /usr/local/apache2/twiki/lib/CPAN/lib//Error.pm line 371 Error::subs::try('CODE(0x8d57d10)', 'HASH(0x920e350)') called at /usr/local/apache2/twiki/lib/TWiki/UI.pm line 198 TWiki::UI::run('CODE(0x94eee8c)') called
Too many failures sending mail %PARAM2% %PARAM3% %PARAM4%
A new system-generated password for your login name DianeChayer (WikiName DianeChayer) has been sent to your registered e-mail address. If your e-mail address is no longer valid, please contact kenneth.lavrsen@mail.dk
Users with automatically generated passwords should proceed immediately to change password to change their password to something memorable.
And guess what. The email is actually sent.
Was the reset email feature tested at all after all the user refactoring?
--
TWiki:Main.KennethLavrsen
- 15 Apr 2007
Yes. But this is not related to that refactoring. It's due to the error messages from mail sending being routed back to the user, which didn't happen previously.
--
TWiki:Main.CrawfordCurrie
- 15 Apr 2007
OK, it handles a mail-send failure more cleanly now. I can't debug why the mailer reported an error when the mail was actually sent, though.
CC
It is still not working.
Try with a user that has something in the email field in his user topic.
After passwords have been moved to .htpasswd this field should be ignored. People now use it to put their email address if they want to show it anyway and then they normally pad it in all sorts of ways. In my test I have the text (hidden) in the field.
When I manually upgrade old user topics (Cairo style) to the new template I always write (hidden) in the field. With a valid email address in .htpasswd this should not cause any problems.
--
TWiki:Main.KennethLavrsen
- 15 Apr 2007
HORROR!
The problem is this.
Instead of picking the password from .htpasswd - it picks it from the user topic.
If the email address is invalid the code seems to try with the email address from .htpasswd.
This is very bad. It must always start with the .htpasswd. Otherwise we have a major security issue. You can now simply edit an other users user topic, put your a temporary discardable email address in the form, and reset the password. And BAM. You have taken over this users identity and can edit the topics that are otherwise restricted.
--
TWiki:Main.KennethLavrsen
- 15 Apr 2007
If an email address for a user isn't specified in the password manager (e.g. you have
PasswordManager set to none) then it has to fall back to recovering the email from the user mapper. Currently it drags addresses from both. I had originally coded it so it ignores the user mapper if the password manager is defined. Of course this is why :-/
I debated adding an "isManagingEmails" API to the password manager. I see that I have to.
BTW you say "if the email address is invalid". Do you mean if it fails to send mail to that address? Or if it simply doesn't exist?
--
TWiki:Main.CrawfordCurrie
- 15 Apr 2007
OK, I think it's right now. Please test, your feedback is essential!
CC
Ken, I moved your additional report to
Item2632, which is what it relates to.
CC