id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release
8549,Changing password in SessionStore when password change forced has no effect,jteh,hasienda,When AccountManagerPlugin is configured to use !SessionStore and a password change is forced due to a password reset_ the first password change has no effect; i.e. the password remains unchanged.\r\n\r\nSteps to reproduce:\r\n 1. Ensure that AccountManagerPlugin is configured to use SessionStore and that there is an account with which to test.\r\n 2. Request a password reset for an account using the Forgot Password link.\r\n 3. Log in with the temporary password.\r\n 4. You will be prompted to change your password_ so change it. You will be informed that the change was successful.\r\n 5. Log out.\r\n 6. Try to log back in with the new password.\r\n * Expected: You should be logged in.\r\n * Actual: You can't log in.\r\n * When this happens_ you can still log back in with the temporary password (step 2).\r\n * If you log in and change the password again_ this change (not forced) works correctly.\r\n\r\nI investigated the code a bit. Here's what I *think* is happening:\r\n 1. When saving the password_ !SessionStore writes the password directly to the database.\r\n 2. If a password change is being forced_ the code deletes force_change_passwd from the request's session object (req.session) and then saves the session. This happens at source:/accountmanagerplugin/trunk/acct_mgr/web_ui.py@9584#L270:[[br]]\r\n{{{\r\n                if force_change_password:\r\n                    del(req.session['force_change_passwd'])\r\n                    req.session.save()\r\n}}}\r\n 3. Unfortunately_ the session object didn't know about the changed session attribute (the password) because it was written directly to the database (1)_ so when it is saved (2)_ it overwrites the password change (1).\r\n\r\nAssuming I'm right_ either:\r\n 1. !SessionStore needs to write to the request's session object. However_ I don't think there's any way for !SessionStore to access that; or\r\n 2. The session object somehow needs to be notified that its data has changed. The only way I can see to do this is to call {{{req.session.get_session(req.authname_ authenticated=True)}}}_ but this is pretty ugly and I'm not sure if it has any nasty side effects.,defect,closed,normal,AccountManagerPlugin,major,fixed,password db overwrite,,0.12