Bug #79714

Saving a backend user record without touching the password field, sets the password to '*********'

Added by Helmut Hummel over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
Start date:
2017-02-09
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Stabilization Sprint

Description

To repoduce:

  1. Go to list module on page 0
  2. open a backend user record and save
  3. log out

Expected result

It is not possible to log in with password *********

Actual result

It is possible to log in with password *********


Related issues

Related to TYPO3 Core - Feature #79440: FormEngine element level refactoring Closed 2017-01-24
Related to TYPO3 Core - Bug #79576: master: Password fields in Backend show data (not marked as type="password") Closed 2017-02-01
Duplicated by TYPO3 Core - Bug #79875: Editing fe_users or be_users changes password Closed 2017-02-17
Duplicated by TYPO3 Core - Bug #79876: felogin: Authentication issue, password will be rehashed after saving user data Closed 2017-02-17

Associated revisions

Revision e36479d7 (diff)
Added by Mads Lønne Jensen over 2 years ago

[BUGFIX] Don't update passwords if left untouched

Fixes a bug where editing a backend user record without updating the
password would result in the password being set to
the string literal "*********".

This reverts #79576 because the fix for showing the password hash in the readable
field was wrong and causing this bug.

Instead of forcing the database value in the hidden field to be asterisks,
we now correctly set the type of the human readable field to be password.

This triggers a special handling in the form engine JavaScript, not filling
the human readable field with the database value and switching to type text
when entering a new password.

Resolves: #79714
Reverts: #79576
Releases: master
Change-Id: Ia465293272131c32bbb9fd9b0d3916676e130996
Reviewed-on: https://review.typo3.org/51829
Reviewed-by: Nicole Cordes <>
Tested-by: Nicole Cordes <>
Tested-by: TYPO3com <>
Reviewed-by: Mads Lønne Jensen <>
Tested-by: Mads Lønne Jensen <>
Reviewed-by: Anders Kostending <>
Reviewed-by: Faton Haliti <>
Reviewed-by: Helmut Hummel <>
Tested-by: Helmut Hummel <>

Revision 1c576539 (diff)
Added by Mads Lønne Jensen over 2 years ago

[BUGFIX] Don't update passwords if left untouched

Fixes a bug where editing a backend user record without updating the
password would result in the password being set to
the string literal "*********".

This reverts #79576 because the fix for showing the password hash in the readable
field was wrong and causing this bug.

Instead of forcing the database value in the hidden field to be asterisks,
we now correctly set the type of the human readable field to be password.

This triggers a special handling in the form engine JavaScript, not filling
the human readable field with the database value and switching to type text
when entering a new password.

Change-Id: Ia465293272131c32bbb9fd9b0d3916676e130996
Resolves: #79714
Reverts: #79576
Releases: master, 8.6
Change-Id: I67b91c076e497ae30b96f3ffa4bab89ce33e9501
Reviewed-on: https://review.typo3.org/51887
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>

History

#1 Updated by Jan Helke over 2 years ago

  • Target version set to 8 LTS

#2 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51829

#3 Updated by Tabea David over 2 years ago

Using the patch the password field seems to be empty (empty input field), even though a password has been set.
Could you please make sure that it's not possible to login with a disabled user (counts for all properties in tab Access: disabled, starttime, endtime). At the moment if I disable an user, the user is still able to login.

Thanks!

#4 Updated by Joerg Kummer over 2 years ago

Can not confirm what Tabea David mentioned about possible to login ... if user is disabled.

#5 Updated by Jasmina Ließmann over 2 years ago

I can not confirm this behavior either. The patch works.
If the user is disabled or time-limited, the login does not work for this user.

#6 Updated by Tabea David over 2 years ago

  • File screencast.mp4 added

Thanks for your feedback. What am I doing wrong? I set up a fresh installation and be able to reproduce this behaviour.
This installation has no additional settings, just 1 fe_group, 1 fe_user, 1 content element "Login".
The Setup looks like this:

page = PAGE
page.10 < styles.content.get

Include static: fluid_styled_content

I added a short screencast, maybe someone has an idea what's missing.

#7 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51829

#8 Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51829

#9 Updated by Mads Lønne Jensen over 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#10 Updated by Helmut Hummel over 2 years ago

Tabea David wrote:

What am I doing wrong?

Nothing. A fix for that (different) issue will follow shortly

#11 Updated by Alexander Grein over 2 years ago

Is there already an issue for the second problem?
As far I found out, the enable fields in the auth service will be ignored.
Its also possible to login with a user marked as deleted, not "only" disabled!

#12 Updated by Gerrit Code Review over 2 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_8-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51887

#13 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch TYPO3_8-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51887

#14 Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch TYPO3_8-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51887

#15 Updated by Gerrit Code Review over 2 years ago

Patch set 4 for branch TYPO3_8-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/51887

#16 Updated by Tabea David over 2 years ago

  • File deleted (screencast.mp4)

#17 Updated by Mads Lønne Jensen over 2 years ago

  • Status changed from Under Review to Resolved

#18 Updated by Riccardo De Contardi almost 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF