View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001129||Main CAcert Website||account administration||public||2012-12-18 14:14||2015-02-03 21:22|
|Reporter||Werner Dworak||Assigned To||janmaco|
|Product Version||2012 Q4|
|Summary||0001129: When SE reveals the five secred questions and answers no warning is sent to the member|
|Description||I am Support Engineer. When on the life system at the SE console I open my own account and I reveal the five secret questions, no warning mail to my account is created. I did the same on the test server with a foreign account, here the same.|
On the other side if at "My Details" I open "Edit", the I get the warning mail as I should.
|Tags||No tags attached.|
|Test Instructions||view the 5 PW questions in the support console, check if there was a mail send to the account that was looked at|
|related to||0000860||closed||BenBE||someone accessed your password and secret questions page, plz change pwd translation mixed and garbled, text is tanslated in TL|
|related to||0000408||confirmed||Improve the 5 QA warning message sent to the user on 5 QA set access|
|related to||0001138||closed||NEOatNHNG||Implement to log the SE activity|
|related to||0000028||closed||NEOatNHNG||0000026 Wrong language for ''you've been assured'' & ''[CAcert.org] Client Certificate'' emails|
|related to||0000612||needs review & testing||NEOatNHNG||Add IP address and time stamp to someone viewed your lost password questions notice.|
|related to||0001092||needs work||NEOatNHNG||Mail is not send on Menue Click when Support Engineer ist looking at it|
|related to||0001135||closed||egal||Extend database table AdminLog et al|
I have a patch for this bug here: https://github.com/yellowant/cacert-devel/commit/8ff237fcab255eb1f3645c496a7a9414b7e377f4 (depending on bug 612)
I logged in as support admin. I looked up an account and checked the pw questions for that account.
Afterwards I got a mail.
-> ok so far.
BUT the mail itself has 2 issues:
a) it did NOT tell that the lookup was done by a support engineer, but: "You receive this automatic mail since you yourself or someone else looked "
That is confusing, as it is definitly clear that it was NOT done by "you". On the contrary it is clear that it was done by support.
This information is quite relevant to have if one has requested support to look up those questions, as then one knows why a lookup by support is taking place. But the text implies that it was done by a user, so it looks like a hack to the account.
B) The mail contains parts of the ip address of the support engineer.
There is definitly no need for this, especially if the mail tells you that it was done by support. The access IS logged in the account history as support activity. Any supporter can look up WHO did the support access, if they get asked for this. This is enough to identify the support team member - even better as with an anonymised ip address.
As such access mostly should be done by someone who was asked to do it by the user and by this is allowed to do this by the SP. There is no reason to force to reveal any personal identifiable data about the support engineer in this case, even not partly. It is of no relevance where on the world the support engineer is staying while doing support work.
IIF this information is needed it could be checked via logs. Those have to exist because of:
SP 8.4. Records and Logs
use of restricted interfaces must be logged.
=> it is working but the mail text is not matching the needs
||Maybe a fix regarding to note 0005248: https://github.com/yellowant/cacert-devel/commit/f4640b86d408433a0aea7ff9665e12f6f204c38d|
||The mail text has been changed for the support engineer case.|
This mail still gets sent. There is no Subnet anymore. There is still the Time.
I logged into an admin account and looked up an account. I entered a ticket number and looked at the PW details.
I checked the mails for the users account. An information mail was there.
The mail did not reveal information about the identity of the support team member who did the lookup.
The mail was addressing correctly the situation that the PW details were looked up from the support console and not via a normal user access (of the users account).
I also verified that:
- the PW lookup was displayed in the admin log table from support with the name of the support account from which I had looked at the PW details.
- the PW lookup was displayed in the users account history but without the name of the support account.
-> both were correct.
The wording of the mail was not optimal. I would prefer a "because" instead of a "since" in the first line. But that is only a minor detail.
||Replaced 'since' with 'because': https://github.com/yellowant/cacert-devel/compare/011b4c1a1538...c564dabc866e|
I did the same checks as before. Everything is correct. -> ok
"since" was replaced with "because" in the email -> ok
I also retested. The mail still gets sent. The text was improved
=> test PASSED
I did the same checks as Eva did, and got the same results. -> ok
|2012-12-18 14:14||Werner Dworak||New Issue|
|2012-12-18 14:37||Werner Dworak||Relationship added||related to 0000612|
|2012-12-20 16:39||Werner Dworak||Relationship added||related to 0001092|
|2012-12-27 08:57||Werner Dworak||Status||new => needs work|
|2013-01-07 23:11||Werner Dworak||Relationship added||related to 0000860|
|2013-01-07 23:46||Werner Dworak||Relationship added||related to 0000408|
|2013-01-09 14:42||Werner Dworak||Relationship added||related to 0001135|
|2014-04-29 20:56||INOPIAE||Relationship added||related to 0001138|
|2014-06-15 13:05||felixd||Relationship added||related to 0000028|
|2014-12-23 23:34||janmaco||Note Added: 0005200|
|2014-12-23 23:34||janmaco||Note Edited: 0005200||View Revisions|
|2014-12-24 11:12||janmaco||Note Edited: 0005200||View Revisions|
|2015-01-13 22:06||janmaco||Assigned To||=> janmaco|
|2015-01-13 22:06||janmaco||Status||needs work => fix available|
|2015-01-14 00:29||BenBE||Reviewed by||=> BenBE|
|2015-01-14 00:29||BenBE||Status||fix available => needs review & testing|
|2015-01-14 00:29||BenBE||Product Version||=> 2012 Q4|
|2015-01-20 21:11||Eva||Test Instructions||=> view the 5 PW questions in the support console, check if there was a mail send to the account that was looked at|
|2015-01-20 21:38||Eva||Note Added: 0005248|
|2015-01-20 22:15||janmaco||Note Added: 0005252|
|2015-01-20 22:57||BenBE||Note Added: 0005253|
|2015-01-20 23:19||felixd||Note Added: 0005255|
|2015-01-21 22:08||Eva||Note Added: 0005258|
|2015-01-21 22:12||janmaco||Note Added: 0005259|
|2015-02-03 20:45||Eva||Note Added: 0005302|
|2015-02-03 21:21||felixd||Note Added: 0005303|
|2015-02-03 21:21||felixd||Status||needs review & testing => needs review|
|2015-02-03 21:22||Patrick||Note Added: 0005304|