• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5447: If manage requires login, impossible to change password

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   patch  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

The password gets replaced by an automatic password, but not updated with the password entered in the ChangePassword form.

MAIN branch, Template login.

-- TWiki:Main/ArthurClemens - 17 Mar 2008

tre odd. it was working for me last week in the trunk (I don't use apache auth much) perhaps you can give us more cfg details?

-- TWiki:Main.SvenDowideit - 18 Mar 2008

Do you mean current LocalSite.cfg settings?

-- TWiki:Main.ArthurClemens - 18 Mar 2008

may as well start with that y

-- TWiki:Main.SvenDowideit - 18 Mar 2008

These are my settings:

-- TWiki:Main.ArthurClemens - 18 Mar 2008

It happens as well with the TWiki 4.2 download.

I have found the cause:

  1. ChangePassword has a form action manage
  2. manage script needs authentication (it is listed in configure under {AuthScripts})
  3. When the form is submitted it goes through TWiki authentication. Before Manage.pm is called the user gets returned to the login screen.

My temporary solution is to create a new passwd script:

ln -s manage passwd
... and to change the form action in ChangePassword from manage to passwd.

Of course this is a huge security risk. And you are also not logged in automatically, so after a password entry you need to enter it again in the login screen.

-- TWiki:Main.ArthurClemens - 26 Mar 2008

ouch :/

-- TWiki:Main.SvenDowideit - 31 Mar 2008

need to list all the uses of manage, and if they need to be authenticated. Then decide if we just test for auth-ness for those that need it, and if its not, send the user to the login.

-- TWiki:Main.SvenDowideit - 31 Mar 2008

basic issue is to know why manage was added to the auth list, so we don't just re-re-re-break things

-- TWiki:Main.SvenDowideit - 31 Mar 2008

perhaps reset can be done via another script - like login..

-- TWiki:Main.SvenDowideit - 31 Mar 2008

Manage is used for bulkRegister, deleteUserAccount, saveSettings and restoreRevision. So that cannot be opened up. We can either use an existing script such as login, or create a new one, like resetpassword.

-- TWiki:Main.ArthurClemens - 01 Apr 2008

I think that we should change the UI so that you cannot change your password unless you are logged in.

Otherwise, we pre-suppose that TWiki is reliably able to authenticate (and create sessons etc) for any random authentication system. (imagine an SSO setup where they have written a password manager that is able to send the SSO system a request to change the pwd)

-- TWiki:Main.SvenDowideit - 14 Apr 2008

So when I get a temp password in the mail, I first log in with the code? And then go back to ChangePassword to change my password?

-- TWiki:Main.ArthurClemens - 14 Apr 2008

correct. That seems to be a pretty standard flow in other web apps, and does actually give more control of security to the TWiki admin.

For example (I just thought of it):

If the TWiki is set up to be unencrypted for guest users, and then HTTPS to log in, and for all subsequent traffic (to provide encryption both for all passwords, and private content), the current implementation would provide a vector for passwords to leak via plain text.

Similarly, we should not pass the password as a url param - as this reveals it to every router and proxy along the route.

-- TWiki:Main.SvenDowideit - 14 Apr 2008

In the meeting we have agreed to proceed this way, and to make ChangePassword not viewable by TWikiGuest or twikiguest.

-- TWiki:Main.ArthurClemens - 15 Apr 2008

Also reported in TWiki:Support.ResetPasswordFailure

-- TWiki:Main.ArthurClemens - 17 Apr 2008

Manage is used for bulkRegister, deleteUserAccount, saveSettings and restoreRevision - that's true, but each of those functions either tests for TWikiAdminGroup or only permits the action on a logged-in user, doesn't it? I was under the impression that manage didn't have to be controlled in Apache. Happy to be proved wrong.

i changed the headline to reflect the analysis and marked this as Confirmed.

-- TWiki:Main.CrawfordCurrie - 02 May 2008

Remind me I am taking this on.

-- TWiki:Main.ArthurClemens - 12 May 2008

on considering what I will be doing for a client in Item5623 I think that we should place resetpasswd on the only definitely non-authed script - login. All other scripts in their locked down TWiki are unaccessible, and logon is really for apache auth..

personally I think forcing 'change password' to be post auth is ok..

-- TWiki:Main.SvenDowideit - 13 May 2008

actually, isn't this a NON-BUG??

  • reset password uses the already existing resetpassword script
  • change password should be limited to already logged in users! - it is not impossible to change password if manage requires login specifically, because to change their password, they must know it, and thus should be logging in.

so I guess the only thing that needs doing, is to disable the ChangePassword form unless they are logged in - with a message telling them to log in first.

-- TWiki:Main.SvenDowideit - 13 May 2008

Yes. We must force people to log in when viewing ChangePassword, and make it clear in the email.

-- TWiki:Main.ArthurClemens - 13 May 2008

I have added DENYTOPICVIEW = TWikiGuest.

-- TWiki:Main.ArthurClemens - 19 May 2008

ItemTemplate
Summary If manage requires login, impossible to change password
ReportedBy TWiki:Main.ArthurClemens
Codebase

SVN Range TWiki-5.0.0, Sun, 09 Mar 2008, build 16496
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:16822
TargetRelease patch
ReleasedIn

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatcfg LocalSite.cfg r1 manage 10.4 K 2008-03-18 - 21:15 ArthurClemens  
Edit | Attach | Watch | Print version | History: r24 < r23 < r22 < r21 < r20 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r24 - 2008-08-04 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback