MantisBT - v3.0 Release
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001050v3.0 Release[All Projects] Generalpublic2012-01-23 11:202013-08-28 11:20
Reporterjbeardshouse 
Assigned Tocaseydk 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001050: LDAP does not update user passwords
DescriptionWhen using LDAP, the passwords in the database do not get updated. This became an issue as the DPDesktop plugin looks in the database for authentication. While the DPDesktop plugin should probably be changed to use regular w2p auth structures, there is code in the W2P LDAP module to update the password hashes in the database. This functionality is broken in 2.4.
Additional InformationI fixed the issue with the following modifications:
1.passwords get double md5ed, change
  classes/w2p/Authenticators/LDAP.class.php:86
  $tmpUser->user_password = $hash_pass;
  to
  $tmpUser->user_password = $password;
2. permissions check issue, change
  modules/admin/admin.class.php:50
  if ($this->user_id && $perms->checkModuleItem('users', 'edit', $this->user_id)) {
  to
  if ($this->user_id && $perms->checkModuleItem('users', 'edit',null, $this->user_id)) {

please review may changes for correctness (not 100% sure about the null).
TagsNo tags attached.
Relationships
Attached Files

Notes
(0002382)
jbeardshouse   
2012-01-23 11:51   
The fix I provided above only works if the user has certain permissions like admin. For regular users the permissions check will fail. I think this is because regular user's don't have the "users-edit" permission (maybe). I'm not sure the permission check is needed as the user is already authenticated at this point (and should be able to change their own password). It looks like other places in the code that set the password the user is also authenticated. Or maybe a different permission needs to be checked.
A person more familiar with the code should check this out.
(0002695)
caseydk   
2012-11-06 15:02   
- It looks like the double-MD5 was cleaned up a while back

- Also, the permissions was reworked. You can see the result as canEdit() in ./modules/admin/users.class.php It explicitly allows a user to always edit themselves.

Issue History
Date ModifiedUsernameFieldChange
2012-01-23 11:20jbeardshouseNew Issue
2012-01-23 11:51jbeardshouseNote Added: 0002382
2012-04-21 19:07caseydkProjectv2.4 Release (Closed) => v3.0 Release
2012-11-06 15:02caseydkNote Added: 0002695
2012-11-06 15:02caseydkStatusnew => resolved
2012-11-06 15:02caseydkResolutionopen => fixed
2012-11-06 15:02caseydkAssigned To => caseydk
2013-08-28 11:14caseydkFixed in Version => 3.0.0
2013-08-28 11:20caseydkStatusresolved => closed