Opened 3 years ago

Closed 3 years ago

#10700 closed defect (fixed)

AccountModule._do_reset_password discards errors from _reset_password

Reported by: anonymous Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: critical Keywords: AccountModule
Cc: rjollos Trac Release:

Description (last modified by hasienda)

In, in the AccountModule class is a function _reset_password, which can return an error. _do_reset_password always ignores the error, and instead reports success to the user. As far as I can tell, these errors are always ignored.

This then makes it extremely difficult to diagnose other problems with password reset.

Attachments (0)

Change History (4)

comment:1 Changed 3 years ago by hasienda

  • Cc rjollos added; anonymous removed
  • Description modified (diff)
  • Keywords AccountModule added
  • Summary changed from Reset passport discards errors to AccountModule._do_reset_password discards errors from _reset_password

Good catch, issue verified here easily with your hint on how to reproduce (in #10701). Thanks for noticing.

As mentioned in my recent comment to the follow-up issue #10701 I'd appreciate disclose of a reporter contact. Anonymous reports just don't work that well for human interaction, you see?

comment:2 Changed 3 years ago by hasienda

(In [12441]) AccountManagerPlugin: Propagate errors from AccountModule._reset_password, refs #7111, #8927, #10700 and #10701.

Thanks for the recent, anonymous hint on this issue, that originates from [10313] (btw, a fix for a much more serious issue).

comment:3 Changed 3 years ago by hasienda

(In [12442]) AccountManagerPlugin: Add more configuration error logging, refs #10700 and #10701.

Ensure proper configuration for SessionStore and derived classes, and properly disable password reset functionality in AccountModule as well, if it can't work due to either ResetPwStore being disabled entirely or just missing the configured IPasswordHashMethod implementation.

comment:4 Changed 3 years ago by hasienda

  • Resolution set to fixed
  • Status changed from new to closed

(In [12482]) AccountManagerPlugin: Publish maintenance release 0.4.1, closes #5964, #8545, #10134, #10625, #10700 and #10701.

This is an update for current stable acct_mgr-0.4 with a number of fixes for issues resolved within the last weeks, i.e.:

  • a final fix for Single-Sign-On functionality (refs #9676),
  • a long-standing HttpAuth login issue and
  • one for acct_mgr.LoginModule, that is relevant if used with web-servers, that evaluate the REMOTE_USER environment variable.

Changeset [12468] is included, that may require a Trac db fix-up. Run python ./contrib/ <env> once on any Trac environment, that had account locking enabled with time constraints before.

Add Comment

Modify Ticket

as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.