Modify

Opened 12 years ago

Closed 8 years ago

#10680 closed enhancement (fixed)

Provide confirmation when password is changed

Reported by: Ryan J Ollos Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: needinfo password change confirmation
Cc: Trac Release:

Description

I vaguely remember discussing this issue, but perhaps I'm thinking of a different issue since I can't find a ticket for the item. There is a nice confirmation following a password reset when the user is forced to reset their password:

However, there is no confirmation when the user changes their password at will.

It would be nice to use add_notice to provide the user feedback that their password has been successfully changed.

Well, maybe it is implied and unnecessary to have the notice since the user is immediately logged out and forced to log back in with their new password, but the lack of a notice just seems a bit unsettling since they are so commonplace in Trac.

Attachments (2)

ForcedReset.png (20.7 KB) - added by Ryan J Ollos 12 years ago.
PasswordChange.png (21.6 KB) - added by Ryan J Ollos 12 years ago.

Download all attachments as: .zip

Change History (12)

Changed 12 years ago by Ryan J Ollos

Attachment: ForcedReset.png added

Changed 12 years ago by Ryan J Ollos

Attachment: PasswordChange.png added

comment:1 in reply to:  description ; Changed 12 years ago by Steffen Hoffmann

Keywords: password change confirmation added

Replying to rjollos:

I vaguely remember discussing this issue, but perhaps I'm thinking of a different issue since I can't find a ticket for the item. There is a nice confirmation following a password reset when the user is forced to reset their password:
...

Hm, I don't remember that.

However, there is no confirmation when the user changes their password at will.
...
It would be nice to use add_notice to provide the user feedback that their password has been successfully changed.
...

Sure, similar to what is already done inside the admin web-UI now.

Well, maybe it is implied and unnecessary to have the notice since the user is immediately logged out and forced to log back in with their new password, but the lack of a notice just seems a bit unsettling since they are so commonplace in Trac.

No, the behavior you describe here is actually strange, because no log-out should happen. I'll have to talk to you about that some more. Only thing, that makes me wonder, is the authentication store you use, that may interfere here somehow.

comment:2 in reply to:  1 ; Changed 12 years ago by Steffen Hoffmann

Keywords: needinfo added

Replying to hasienda:

Replying to rjollos:

Well, maybe it is implied and unnecessary to have the notice since the user is immediately logged out and forced to log back in with their new password, but the lack of a notice just seems a bit unsettling since they are so commonplace in Trac.

No, the behavior you describe here is actually strange, because no log-out should happen. I'll have to talk to you about that some more. Only thing, that makes me wonder, is the authentication store you use, that may interfere here somehow.

Could you re-check that particular behavior with recent changes for #10681 applied, please?

comment:3 Changed 12 years ago by Ryan J Ollos

Yeah, I can test this weekend and get back to you. Thanks for pushing the changes!

comment:4 in reply to:  2 ; Changed 12 years ago by Ryan J Ollos

Replying to hasienda:

Could you re-check that particular behavior with recent changes for #10681 applied, please?

I'm running the latest r12507 on my production server. I'm using HtPasswdStore (all enabled components are shown below).

What I see now is - after changing the password the user remains on the /prefs/account page. However, as soon as the user tries to navigate elsewhere, or refreshes the page, the authentication dialog appears forcing the user to enter their new password. Well, the behavior of page refresh is a little strange, as it suffers from the problem reported in #10752.

I think the current behavior is good, that the user should be forced to re-authenticate with their new password. Previously, I think I was seeing an authentication prompt immediately after submitting Save changes.

acct_mgr.admin.accountmanageradminpanel = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.guard.accountguard = enabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.macros.accountmanagerwikimacros = enabled
acct_mgr.notification.accountchangelistener = enabled
acct_mgr.notification.accountchangenotificationadminpanel = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled
acct_mgr.register.basiccheck = enabled
acct_mgr.register.usernamepermcheck = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.resetpwstore = enabled

comment:5 in reply to:  4 Changed 12 years ago by Steffen Hoffmann

Replying to rjollos:

Replying to hasienda:

Could you re-check that particular behavior with recent changes for #10681 applied, please?

I'm running the latest r12507 on my production server. I'm using HtPasswdStore (all enabled components are shown below).

What I see now is - after changing the password the user remains on the /prefs/account page. However, as soon as the user tries to navigate elsewhere, or refreshes the page, the authentication dialog appears forcing the user to enter their new password. Well, the behavior of page refresh is a little strange, as it suffers from the problem reported in #10752.

I think the current behavior is good, that the user should be forced to re-authenticate with their new password. Previously, I think I was seeing an authentication prompt immediately after submitting Save changes.

Well, glad you like the behavior, but I'm still surprised, because it shouldn't work like that. The user remains on the /prefs/account page - ok. But I can't see how/why the re-authentication is triggered in your configuration. It was certainly not intended to re-authenticate. What special circumstances could invalidate the session for you? I'm able to change my password multiple times without loosing the current, authenticated session with authentication based on a no longer existing password.

While I'd like to clarify that, the other question is, obviously you would like to have session invalidation happen after password change, wouldn't you? This could be achieved by just re-directing to '/logout', right?

comment:6 in reply to:  description Changed 12 years ago by Steffen Hoffmann

Replying to rjollos:

However, there is no confirmation when the user changes their password at will.

In fact, there is one. See "Password successfully updated." right above 'Change password' in your screenshot? Seems just like the expected highlighting/green notification is gone. I'll investigate about the styling and history of possibly related changes.

comment:7 Changed 12 years ago by Ryan J Ollos

Ah, good catch. It seems like that notification could be dropped, or merged with the div#notice that has the system-message class.

comment:8 Changed 12 years ago by Steffen Hoffmann

(In [12672]) AccountManagerPlugin: Move more feedback to standard chrome messages, refs #10680.

Templates are modified and cleaned accordingly too - a nice simplification. Accompanied by another run on replacing ambiguous 'user' with 'username', once started back in [10288], but hopefully with no fix-ups this time.

comment:9 Changed 10 years ago by Steffen Hoffmann

In 14363:

AccountManagerPlugin: Correct passwd reset notification msg body, refs #11867.

Thanks to alexkiro for reporting and proposing the change.

On review of this too long delayed patch I've seen other changes done but missing an entry in the changelog - fixed now as well, refs #10680 and #12097.

comment:10 Changed 8 years ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.