Change password bug?

Author Message

John Moritz

Sunday 30 November 2008 3:00:34 pm

I am just playin around with the "My Profile" templates and found out, that i can change my password in two different ways.

The one solution is very good, because you have to know the "old password" to change it to a new one.
But then i saw that i can change my password on another edit page where i can find the email adress and my first and last name (etc.). On this page i dont need to know the old password to change it. Thats a little security issue. I dont know hot to disable this now, editing the template and delete the password forms will help me quick, but i think a better experienced user can change the password anyway. I dont understand why on one page i need my old password and on the other i dont?

Any comments on how i can fix that?

Gaetano Giunta

Monday 01 December 2008 2:43:08 am

Can you give the url of the two pages you are using?

The best way to disable them is probably via the access policies setup in site.ini...

Principal Consultant International Business
Member of the Community Project Board

John Moritz

Monday 01 December 2008 6:35:41 am

The first page ist /user/edit/$user_id
On that page you can choose between "edit profile" or "change password".
"edit profile" takes you to: /content/edit/$user_id
"change password" takes you to: /user/password/$user_id

I only want the "change password" possibillity for changing the password, because only there you have to know the old password.

I can not dissable "edit profile" because then the user can not change profile preferences like e-mail-address.
But... another Problem i found out today is, that when i change my e-mail-address, there is no validation. Realy bad... what happens when a user changes his e-mail-address and make a mistake. He will not know that this happend. Six month later he forgots his password, now the "forgotten password?" function has no functionality for him, because the system doesnt know his real e-mail.

Now i think about to outsource the whole "User Profile" thing and make my own validation things, like i want it.

Gaetano Giunta

Tuesday 02 December 2008 1:29:19 am

One first note: user/edit is considered deprecated, and not described in the online documentation. So better not to use it at all.

Then it sounds very strange to me that the user email is not validated when editing the user details as content object: if you look at the code, it is in file kernel/classes/datatypes/ezuser/ezusertype.php, function validateObjectAttributeHTTPInput.

Maybe the code you are using is a bit different / has been patched?

PS: make sure when you assign permission that user x has no right to edit the account of user y...

Principal Consultant International Business
Member of the Community Project Board

John Moritz

Tuesday 02 December 2008 7:28:30 am

I am working on a fresh install of 4.0.1 with ezFlow.
On the ezFlow demo page i can login, then there is a link "My Profile". If i click on that link, it brings me to /user/edit/$user_id. So how can this be deprecated, its the standard profile page of ezPublish? I didnt hack anything on kernel!

Maybe you misunderstood something about the e-mail-validation. You are right, if i type in mymail.domain.com, there comes a warning that the e-mail-address is not valid. But what happens when my address is [email protected] and i type in [email protected]? Its valid for ezPublish but a mistake in writing by the user, and believe me, those things happens very often. There are so much people writing to me that hey got no registration E-Mail. When i compare the addresses i know why...
So i am always looking for a solution where every user and webmaster is safe.

At the moment i run my project on a cms written by myself. On that project, when a user changes the e-mail address he gets an validation link sendet to his mail-account. Only after klicking on that link, the new mail-address is active. This makes also sense, when you want to restrict users to registrate more than 1 account with the same e-mail address. At the moment i can registrate as many users as i want with the same e-mail address on all ezPublish sites (tryed it). Just registrate, change the e-mail address on profile page to one thats maybe not mine, registrate new account with same address as the first user etc.....

At the end, i can have as many useraccounts i want, with the same e-mail-address. But i want to restrict that. (RequireUniqueEmail=true)
Not realy a security issue, but not nice!
But like i said, i will hack this for myself.

André R.

Tuesday 02 December 2008 9:44:27 am

user/edit is just a alias of content/edit, so you need to have permission to edit your own user object. And I don't know about you, but mostly you would need to login to be able to edit your own object(user/edit), so you should know your password ;)

But you seem to have specific need for the user module, so best to disable it, fork it, rename it to zuser or something and edit to your likes.
Then you'll need to:
a. fork the ezuser datatype to change it's validation
or
b. disable zuser/edit and create custom views where users can change email.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Łukasz Serwatka

Tuesday 02 December 2008 11:38:29 am

Hi there,

One first note: user/edit is considered deprecated, and not described in the online documentation. So better not to use it at all.

This is interesting. Do you know any details why we consider it as deprecated? And what we recommend to use instead? I'm just curios as I did not hear anything about that.

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog

André R.

Tuesday 02 December 2008 2:49:48 pm

Its written in user/module.php.
A pity since user/edit lets you avoid having the user id in the url from 4.1 and up (good cache wise), and since it gives one page for all user related stuff that can easily be extended by overriding the template.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Łukasz Serwatka

Tuesday 02 December 2008 11:14:35 pm

I think FH was a bit to hurry with deprecating it. As there is no good argument why was deprecated. There are many benefits of having it.

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog

John Moritz

Wednesday 03 December 2008 2:19:58 am

Where can i find 4.1?
When will it be released official?
Can i use my extensions build for 4.0.1 on 4.1?

Gaetano Giunta

Wednesday 03 December 2008 9:41:44 am

Well, it has been deprecated since 2005 but apparently never died. Maybe it can be ressuscitated?

On a more serious note, even though the functionality of re-checking the email when it is updated by the user can be implemented via a custom module (or maybe just a workflow?), I think the check for mail uniqueness should be moved into the validation rules of the datatype, so that is is enforced regardless of the module code

Principal Consultant International Business
Member of the Community Project Board

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.