View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0001050 | v3.0 Release | [All Projects] General | public | 2012-01-23 11:20 | 2013-08-28 11:20 | ||||
Reporter | jbeardshouse | ||||||||
Assigned To | caseydk | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Product Version | |||||||||
Target Version | Fixed in Version | 3.0.0 | |||||||
Summary | 0001050: LDAP does not update user passwords | ||||||||
Description | When using LDAP, the passwords in the database do not get updated. This became an issue as the DPDesktop plugin looks in the database for authentication. While the DPDesktop plugin should probably be changed to use regular w2p auth structures, there is code in the W2P LDAP module to update the password hashes in the database. This functionality is broken in 2.4. | ||||||||
Additional Information | I fixed the issue with the following modifications: 1.passwords get double md5ed, change classes/w2p/Authenticators/LDAP.class.php:86 $tmpUser->user_password = $hash_pass; to $tmpUser->user_password = $password; 2. permissions check issue, change modules/admin/admin.class.php:50 if ($this->user_id && $perms->checkModuleItem('users', 'edit', $this->user_id)) { to if ($this->user_id && $perms->checkModuleItem('users', 'edit',null, $this->user_id)) { please review may changes for correctness (not 100% sure about the null). | ||||||||
Tags | No tags attached. | ||||||||
Attached Files |
|
![]() |
|
jbeardshouse (reporter) 2012-01-23 11:51 |
The fix I provided above only works if the user has certain permissions like admin. For regular users the permissions check will fail. I think this is because regular user's don't have the "users-edit" permission (maybe). I'm not sure the permission check is needed as the user is already authenticated at this point (and should be able to change their own password). It looks like other places in the code that set the password the user is also authenticated. Or maybe a different permission needs to be checked. A person more familiar with the code should check this out. |
caseydk (administrator) 2012-11-06 15:02 |
- It looks like the double-MD5 was cleaned up a while back - Also, the permissions was reworked. You can see the result as canEdit() in ./modules/admin/users.class.php It explicitly allows a user to always edit themselves. |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2012-01-23 11:20 | jbeardshouse | New Issue | |
2012-01-23 11:51 | jbeardshouse | Note Added: 0002382 | |
2012-04-21 19:07 | caseydk | Project | v2.4 Release (Closed) => v3.0 Release |
2012-11-06 15:02 | caseydk | Note Added: 0002695 | |
2012-11-06 15:02 | caseydk | Status | new => resolved |
2012-11-06 15:02 | caseydk | Resolution | open => fixed |
2012-11-06 15:02 | caseydk | Assigned To | => caseydk |
2013-08-28 11:14 | caseydk | Fixed in Version | => 3.0.0 |
2013-08-28 11:20 | caseydk | Status | resolved => closed |