Project

General

Profile

Actions

Bug #72182

closed

BE Users can be created without a username and password due to chrome autofill

Added by Laurin Schaller almost 9 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2015-12-11
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.4
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Basically as title says. Steps to reproduce:

  • Create a BE User
  • Press Save and close or log in with said username and password
  • Chrome asks you to save username and password - accept
  • Create a new BE User - Take a look at the form where you set username and pw for the new user. Chrome automatically fills out the username and pw for you.
  • Press save now. A BE User without name nor pw has been created. I even checked in the db if the fields really are empty. Well... they are.

Of course this will only really happen to somebody who deletes a user and then wants to create the exact same user again. Or to somebody who doesnt pay attention.

Using this nameless user leads to a further bug. If you use the "switch to user" button you will get logged in normally. However you cant log out of it. You are stuck until you delete the user using a different browser.

I dont know how the fields in the backend work. But I guess it goes like this: As the user presses "save" the system checks if the fields are empty. Because of chrome autofill they arent. So the system thinks thats fine. However the value from chromes prefilled fields aren't send to the database.


Files

1.png (49.8 KB) 1.png Riccardo De Contardi, 2016-05-24 11:28
2.png (114 KB) 2.png Riccardo De Contardi, 2016-05-24 11:28

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #75809: Impossible to edit Backend-Users when Chrome Password Manager is usedClosed2016-04-20

Actions
Related to TYPO3 Core - Bug #78411: Backend user with empty password can be createdClosed2016-10-24

Actions
Actions #1

Updated by Riccardo De Contardi almost 9 years ago

I don't remember if adding the attribute autocomplete="false" to the form tag still works...

Actions #2

Updated by Riccardo De Contardi over 8 years ago

  • Category set to Backend User Interface
Actions #3

Updated by Nicole Cordes over 8 years ago

  • Status changed from New to Needs Feedback

The bug should be fixed with https://review.typo3.org/#/c/47813/ which is included in 8.1 and will be included in the next release of 7.6

Actions #4

Updated by Riccardo De Contardi over 8 years ago

Bug seems still not solved on 8.2.0-dev

If you try to create a new user on Chrome, the username is no more filled by autofill, but the password has already something in it. If you save the user and look in the be_user table you'll find that the user has empty password.

Actions #5

Updated by Christian Weiske over 8 years ago

This is included in TYPO3 7.6.7 https://wiki.typo3.org/TYPO3_CMS_7.6.7

2016-04-30  05b3c41  #75809          [BUGFIX] Set semantic value to autocomplete (Nicole Cordes)

Updated by Riccardo De Contardi over 8 years ago

I tried the following steps using the latest 8.2-dev:

1) create a new user > the situation is shown on 1.png: the username is no more filled, but the password still contains something
2) type in a name "prova" and save
3) if you look into the be_users table (2.png) you'll find that the user has no password

Actions #7

Updated by Riccardo De Contardi about 8 years ago

I am not able to reproduce it with 8.5-dev (latest master). Can someone confirm? Thank you.

Actions #8

Updated by Alexander Opitz almost 8 years ago

  • Status changed from Needs Feedback to Closed

The autocomplete="false" is ignored by chrome if already data is saved in browsers autofill database.

So closing this issue

Actions

Also available in: Atom PDF