Anonymous Login
2019-10-22 19:09 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001050v3.0 Release[All Projects] Generalpublic2013-08-28 11:20
Reporterjbeardshouse 
Assigned Tocaseydk 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version3.0.0 
Summary0001050: LDAP does not update user passwords
DescriptionWhen using LDAP, the passwords in the database do not get updated. This became an issue as the DPDesktop plugin looks in the database for authentication. While the DPDesktop plugin should probably be changed to use regular w2p auth structures, there is code in the W2P LDAP module to update the password hashes in the database. This functionality is broken in 2.4.
Additional InformationI fixed the issue with the following modifications:
1.passwords get double md5ed, change
  classes/w2p/Authenticators/LDAP.class.php:86
  $tmpUser->user_password = $hash_pass;
  to
  $tmpUser->user_password = $password;
2. permissions check issue, change
  modules/admin/admin.class.php:50
  if ($this->user_id && $perms->checkModuleItem('users', 'edit', $this->user_id)) {
  to
  if ($this->user_id && $perms->checkModuleItem('users', 'edit',null, $this->user_id)) {

please review may changes for correctness (not 100% sure about the null).
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0002382

jbeardshouse (reporter)

The fix I provided above only works if the user has certain permissions like admin. For regular users the permissions check will fail. I think this is because regular user's don't have the "users-edit" permission (maybe). I'm not sure the permission check is needed as the user is already authenticated at this point (and should be able to change their own password). It looks like other places in the code that set the password the user is also authenticated. Or maybe a different permission needs to be checked.
A person more familiar with the code should check this out.

~0002695

caseydk (administrator)

- It looks like the double-MD5 was cleaned up a while back

- Also, the permissions was reworked. You can see the result as canEdit() in ./modules/admin/users.class.php It explicitly allows a user to always edit themselves.
+Notes

-Issue History
Date Modified Username Field Change
2012-01-23 11:20 jbeardshouse New Issue
2012-01-23 11:51 jbeardshouse Note Added: 0002382
2012-04-21 19:07 caseydk Project v2.4 Release (Closed) => v3.0 Release
2012-11-06 15:02 caseydk Note Added: 0002695
2012-11-06 15:02 caseydk Status new => resolved
2012-11-06 15:02 caseydk Resolution open => fixed
2012-11-06 15:02 caseydk Assigned To => caseydk
2013-08-28 11:14 caseydk Fixed in Version => 3.0.0
2013-08-28 11:20 caseydk Status resolved => closed
+Issue History