Bug #24617
closed
BE user's password not changable via setup module with "saltedpasswords" enabled
Added by Tomas Mrozek almost 14 years ago.
Updated about 13 years ago.
Description
If the "saltedpasswords" extension is installed BUT its use in the backend is NOT enabled (= "BE.enabled" is not true), then any password change in the "User Tools -> User settings" is not accepted.
If the "saltedpasswords" extension is not installed or its setting "BE.enabled" equals TRUE, then everything works fine.
If the "BE.enabled" equals FALSE, then the expected behavior is that the extension does NOT alter the functionality of the backend in any way.
(issue imported from #M17087)
Files
Maybe related to #20774 which suggests patches that don't seem to be in the current version of "saltedpasswords" and "setup" system extensions.
Quick (and dirty) fix: comment out lines 20 & 21 in "ext_tables.php" of "saltedpasswords".
Tomas, does moving those two lines into
if (tx_saltedpasswords_div::isUsageEnabled('BE')) {help?
Yes, Steffen, that works and thus it might be a correct fix. However, I'm unable to evaluate whether it fixes the right root of the problem. Someone should also confirm the bug in the first place as I have difficulty to believe that such a bug has been in a system extension without being noticed by anyone else.
Tomas, it looks pretty obvious, at least if saltedpasswords doesn't check in the User settings hook.
Will give it a try, but very likely at the end of the week after RC1 release.
Marcus Krause should have a look at that as well, I'll trigger him.
thanks for pointing me to this issue
Analysis:
Problems are obviously caused by following piece of code
$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = 'tx_saltedpasswords_eval_be';
$GLOBALS['TYPO3_USER_SETTINGS']['columns']['password2']['eval'] = '';
what this basically does for TYPO3 w/o saltedpasswords installed:
- default is 'md5'
- this triggers the md5 hash building of submitted password on clientside via JS
- it does not cause a real instanciation of an evaluation!!
with saltedpasswords installed and enabled, we only want a value for 'eval' key with anything else than 'md5'; having a class name like now is misleading!
therefore - why does the update failes for outlined cases:
- password is no longer md5 hashed via JS because TYPO3_USER_SETTINGS contains no 'md5'
- tcemains uses eval configured via TCA (=md5)
- submitted password (plain text) does not have the structure of an md5 hash (32 letter hexadecimal string)
- eval fails - no update!
so solution is:
- encapsulate (like already suggested) these files with a test if saltedpasswords is enabled for BE
- fix the misleading values / properly comment
I'll prepare a patch.
trunk rev. 10371
4.5 rev. 10372
4.4 rev. 10373
4.3 rev. 10374
- Category set to Authentication
- Assignee deleted (
Marcus Krause)
- Target version deleted (
0)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by