Uploaded image for project: 'Jetspeed (Retired)'
  1. Jetspeed (Retired)
  2. JS1-516

UserUpdateAction re-encrypts encrypted password when secure.passwords=true

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.5
    • None
    • Security
    • None
    • Database: Postgres
      JVM: J2DSK 1.4.02_04
      OS: Redhat 9.x/Windows XPSP2

    Description

      UserUpdateAction re-encrypts encrypted password when secure.passwords=true

      Thus making the edit user capability unusable unless the purpose was to also reset the password.

      I've been throwing around something simple, such as:

      services.JetspeedSecurity.secure.passwords.allowblank=true|false

      UserUpdateAction.doUpdate: Null password is ok, depending on
      if secure.passwords=true {
      if (password != null)

      { forcePassword(user,password) }

      else {
      if secure.passwords.allowblank {
      if (unsetpassword)

      { forcePassword(user,"") }

      } else

      { // Skip, no changes }

      }
      }

      Modify user-form.vm, add a checkbox next to password (if secure.passwords.allowblank=true) eg, Unset Password

      Attachments

        Activity

          People

            Unassigned Unassigned
            artd@artd3.com Arthur D'Alessandro
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: