Project

General

Profile

Actions
Copy link

Bug #72182

closed

BE Users can be created without a username and password due to chrome autofill

Added by Laurin Schaller over 8 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2015-12-11
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.4
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Basically as title says. Steps to reproduce:

  • Create a BE User
  • Press Save and close or log in with said username and password
  • Chrome asks you to save username and password - accept
  • Create a new BE User - Take a look at the form where you set username and pw for the new user. Chrome automatically fills out the username and pw for you.
  • Press save now. A BE User without name nor pw has been created. I even checked in the db if the fields really are empty. Well... they are.

Of course this will only really happen to somebody who deletes a user and then wants to create the exact same user again. Or to somebody who doesnt pay attention.

Using this nameless user leads to a further bug. If you use the "switch to user" button you will get logged in normally. However you cant log out of it. You are stuck until you delete the user using a different browser.

I dont know how the fields in the backend work. But I guess it goes like this: As the user presses "save" the system checks if the fields are empty. Because of chrome autofill they arent. So the system thinks thats fine. However the value from chromes prefilled fields aren't send to the database.

Files

Download all files
1.png (49.8 KB) 1.png Riccardo De Contardi, 2016-05-24 11:28
2.png (114 KB) 2.png Riccardo De Contardi, 2016-05-24 11:28

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #75809: Impossible to edit Backend-Users when Chrome Password Manager is usedClosed2016-04-20

Actions
Related to TYPO3 Core - Bug #78411: Backend user with empty password can be createdClosed2016-10-24

Actions
Actions
Copy link
 #1

Updated by Riccardo De Contardi over 8 years ago

I don't remember if adding the attribute autocomplete="false" to the form tag still works...

Actions
Copy link
 #2

Updated by Riccardo De Contardi about 8 years ago

  • Category set to Backend User Interface
Actions
Copy link
 #3

Updated by Nicole Cordes almost 8 years ago

  • Status changed from New to Needs Feedback

The bug should be fixed with https://review.typo3.org/#/c/47813/ which is included in 8.1 and will be included in the next release of 7.6

Actions
Copy link
 #4

Updated by Riccardo De Contardi almost 8 years ago

Bug seems still not solved on 8.2.0-dev

If you try to create a new user on Chrome, the username is no more filled by autofill, but the password has already something in it. If you save the user and look in the be_user table you'll find that the user has empty password.

Actions
Copy link
 #5

Updated by Christian Weiske almost 8 years ago

This is included in TYPO3 7.6.7 https://wiki.typo3.org/TYPO3_CMS_7.6.7

2016-04-30  05b3c41  #75809          [BUGFIX] Set semantic value to autocomplete (Nicole Cordes)
Actions
Copy link Download all files
 #6

Updated by Riccardo De Contardi almost 8 years ago

I tried the following steps using the latest 8.2-dev:

1) create a new user > the situation is shown on 1.png: the username is no more filled, but the password still contains something
2) type in a name "prova" and save
3) if you look into the be_users table (2.png) you'll find that the user has no password

Actions
Copy link
 #7

Updated by Riccardo De Contardi over 7 years ago

I am not able to reproduce it with 8.5-dev (latest master). Can someone confirm? Thank you.

Actions
Copy link
 #8

Updated by Alexander Opitz about 7 years ago

  • Status changed from Needs Feedback to Closed

The autocomplete="false" is ignored by chrome if already data is saved in browsers autofill database.

So closing this issue

Actions
Copy link

Also available in: Atom PDF