Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

version 5.1.1 is broken when attempting to change password in /@@change-password #55

Open
avolkov opened this issue Feb 11, 2020 · 2 comments
Open

version 5.1.1 is broken when attempting to change password in /@@change-password #55

avolkov opened this issue Feb 11, 2020 · 2 comments

Comments

@avolkov
Copy link

avolkov commented Feb 11, 2020

Expected:

Change password when entering new password under /@@change-password

Occurred:

The following traceback

2020-02-11 14:57:41 ERROR Zope.SiteErrorLog 1581451061.260.0946119471998 http://localhost:8080/site/@@change-password
Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module zope.formlib.form, line 868, in __call__
  Module five.formlib.formbase, line 50, in update
  Module zope.formlib.form, line 835, in update
  Module zope.formlib.form, line 722, in handleSubmit
  Module zope.formlib.form, line 636, in validate
  Module zope.formlib.form, line 573, in <lambda>
  Module plone.app.users.browser.personalpreferences, line 447, in validate_password
  Module Products.PlonePAS.tools.membership, line 566, in testCurrentPassword
AttributeError: getUserId

The code in question is on the following line -- https://github.com/plone/Products.PlonePAS/blob/5.1.1/src/Products/PlonePAS/tools/membership.py#L566

There was a fix for this introduced in Products.PlonePAS 6.0.0 -- 368a312

But the dependencies for version 6.0.0 require upgrade to Plone 5, (I'm running Plone 4.3 with sunburst theme, so it is not feasible at this point).

Is it possible to backport the fix into 5.x tree and release it as 5.1.2, or at least add a definition for getUserId method -- https://github.com/plone/Products.PlonePAS/blob/master/src/Products/PlonePAS/tools/memberdata.py#L466
@mauritsvanrees
Copy link
Sponsor Member

The real change in 6.0.0 was in a80db7d. That was done because it was needed in combination with a newer CMFCore version, see issue #24. In your version, the fix should not be needed, because you will be using an older version of CMFCore.

I am pretty sure changing a password works in standard Plone 4.3. I tried it in the core development buildout:

  • Create a Plone Site, setup the email config for good measure.
  • Add a user.
  • Login as this user.
  • Go the the @@change-password page and fill this in.
  • Works fine, without traceback.

Are you doing anything different?
Do you have user-related add-ons in your site, for example for LDAP, or some membrane-related add-on (users as content)?

@avolkov
Copy link
Author

avolkov commented Mar 10, 2020

I'm upgrading from Plone 3.x to 4.x. I'm using the following version pin -- https://dist.plone.org/release/4.3-latest/versions.cfg. Maybe this is causing the problem.

I had several issues with auth, this one in particular seemed to be caused because I previously changed the password through ZMI, and apparently it uses different auth/encryption plugin service than @@change-password url.

This doesn't affect all users, only the users who changed pass through zmi. At this point I'm

For this particular problem I used monkeypatch in configure.zcml to add a workaround that doesn't call the missing getUserId method.

   <monkey:patch
     description="Fixing password auth for /poa/@@change-password url"
     class="Products.PlonePAS.tools.membership.MembershipTool"
     original="testCurrentPassword"
     replacement=".patch.patchedTestCurrentPassword"
   />

Then added new definition of authentication credentials.

security.declarePrivate('authenticateCredentials')
def authenticateCredentials(self, credentials):
    """Custom version to use legacy password hashes

    See IAuthenticationPlugin.

    o We expect the credentials to be those returned by
      ILoginPasswordExtractionPlugin.
    """
    login = credentials.get('login')
    password = credentials.get('password')

    if login is None or password is None:
        return None

    # Do we have a link between login and userid?  Do NOT fall
    # back to using the login as userid when there is no match, as
    # that gives a high chance of seeming to log in successfully,
    # but in reality failing.
    userid = self._login_to_userid.get(login)
    if userid is None:
        # Someone may be logging in with a userid instead of a
        # login name and the two are not the same.  We could try
        # turning those around, but really we should just fail.
        #
        # userid = login
        # login = self._userid_to_login.get(userid)
        # if login is None:
        #     return None
        return None
    reference = self._user_passwords.get(userid)

    if reference is None:
        return None

    if AuthEncoding.is_encrypted(reference):
        if AuthEncoding.pw_validate(reference, password):
            return userid, login

    digested = sha(password).hexdigest()
    if reference == digested:
        return userid, login

    return None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mauritsvanrees @avolkov