Modify

Opened 5 years ago

Closed 5 years ago

#10700 closed defect (fixed)

AccountModule._do_reset_password discards errors from _reset_password

Reported by: anonymous Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: critical Keywords: AccountModule
Cc: Ryan J Ollos Trac Release:

Description (last modified by Steffen Hoffmann)

In web_ui.py, in the AccountModule class is a function _reset_password, which can return an error. _do_reset_password always ignores the error, and instead reports success to the user. As far as I can tell, these errors are always ignored.

This then makes it extremely difficult to diagnose other problems with password reset.

Attachments (0)

Change History (4)

comment:1 Changed 5 years ago by Steffen Hoffmann

Cc: Ryan J Ollos added; anonymous removed
Description: modified (diff)
Keywords: AccountModule added
Summary: Reset passport discards errorsAccountModule._do_reset_password discards errors from _reset_password

Good catch, issue verified here easily with your hint on how to reproduce (in #10701). Thanks for noticing.

As mentioned in my recent comment to the follow-up issue #10701 I'd appreciate disclose of a reporter contact. Anonymous reports just don't work that well for human interaction, you see?

comment:2 Changed 5 years ago by Steffen Hoffmann

(In [12441]) AccountManagerPlugin: Propagate errors from AccountModule._reset_password, refs #7111, #8927, #10700 and #10701.

Thanks for the recent, anonymous hint on this issue, that originates from [10313] (btw, a fix for a much more serious issue).

comment:3 Changed 5 years ago by Steffen Hoffmann

(In [12442]) AccountManagerPlugin: Add more configuration error logging, refs #10700 and #10701.

Ensure proper configuration for SessionStore and derived classes, and properly disable password reset functionality in AccountModule as well, if it can't work due to either ResetPwStore being disabled entirely or just missing the configured IPasswordHashMethod implementation.

comment:4 Changed 5 years ago by Steffen Hoffmann

Resolution: fixed
Status: newclosed

(In [12482]) AccountManagerPlugin: Publish maintenance release 0.4.1, closes #5964, #8545, #10134, #10625, #10700 and #10701.

This is an update for current stable acct_mgr-0.4 with a number of fixes for issues resolved within the last weeks, i.e.:

  • a final fix for Single-Sign-On functionality (refs #9676),
  • a long-standing HttpAuth login issue and
  • one for acct_mgr.LoginModule, that is relevant if used with web-servers, that evaluate the REMOTE_USER environment variable.

Changeset [12468] is included, that may require a Trac db fix-up. Run python ./contrib/fix-session_attribute-failed_logins.py <env> once on any Trac environment, that had account locking enabled with time constraints before.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.