Bug #58192
closed
User settings password change locks out user if saltedpasswords is not configured to allow legacy passwords
Added by Markus Klein over 10 years ago.
Updated about 6 years ago.
Description
If saltedpasswords is configured to disallow old md5 passwords and a user changes his/her password via the User Settings module, the user locks herself out of the BE.
The reason is that the User Settings dialog still creates old md5 passwords which are converted during the next login if saltedpasswords is configured to do so.
This seems to be a loading order problem. As the ext_tables.php of saltedpasswords would change the eval of the password fields correctly, but this is never applied.
- Status changed from Accepted to Under Review
What happens here¶
EXT:saltedpasswords is loaded before EXT:setup
EXT:saltedpasswords defines $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';, but $GLOBALS['TYPO3_USER_SETTINGS'] does not exist yet.
EXT:setup defines $GLOBALS['TYPO3_USER_SETTINGS'] and overwrites $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = 'md5';
This causes the User Settings Tool to generate a legacy md5 password hash which is written into the DB.
During login the Authentication Service detects the old password and denies the login, if EXT:saltedpasswords is configured to force salted passwords in BE mode.
Solution¶
Setting a dependency of EXT:saltedpasswords to EXT:setup should ensure that setup is loaded first. But it does NOT!
The problem is that EXT:saltedpasswords is a protected system extension whereas EXT:setup is not.
Package Manager will therefore rearrange the loading order and EXT:setup is second again.
So we also need to set EXT:setup as protected to really get the right loading order.
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by