View Issue Details

IDProjectCategoryView StatusLast Update
0000953Main CAcert Websitemy accountpublic2013-01-15 17:23
ReporterINOPIAE Assigned ToUli60  
PrioritylowSeverityminorReproducibilityalways
Status closedResolutionno change required 
Fixed in Version2011 Q3 
Summary0000953: After change of password change on account.php?id=14 does not meet requirements wrong redirect
DescriptionWhile testing bug 637
I found when change my password and the new password is not matching the requirements e.g. "aaaa" only the message that the password is not accepted but there are no fields to enter the new password
Additional InformationSuggestion to redirect the answer onto account.php?id=14
TagsNo tags attached.
Attached Files
account.php (119,730 bytes)
Reviewed bydastrath, NEOatNHNG
Test Instructions

Relationships

related to 0000637 closedNEOatNHNG Password suggestion always the same 

Activities

Uli60

2011-07-06 20:42

updater   ~0002095

trying to reproduce the reported bug:
password login to cert.unknown@w...de
logged-in
My Details - Change Password
Old Pwd: entering old password
New Pwd: aaaa
Retype: aaaa
Results in new page: "The Pass Phrase you submitted was too short."
Here "only" text: "Error" or "Password not changed" info is missing
Logout - relogin with old, not changed password works.
So here there is no bug
the routine works as expected

Uli60

2011-07-06 20:53

updater   ~0002096

Last edited: 2011-07-06 21:01

the resulting text page is the last page of the
change password routine.
password has not been changed and the "old" password still is active.
So if the user wants another try for a password change, the user has to select again the My Details - Change Password function.
In general this is a design consideration.
For a clear workflow schema
1. the workflow starts with the trigger (My Details - Change Password)
2. the 2nd step is the change password form
3. dependent on the result of the change process, the last page is either
   a success message text or a failed change password message text page
4. finished
On failure the user has to trigger the function again.
Using this workflow this prevents a potential clash of a no longer working password.
The password state is either a) changed or b) not changed

The only adjusted enhancement is a better worded text
for a) Failure -> Error, Warning or similiar
   eg Failure: Password not changed, 2nd line with details info
and b) Success -> Success
   eg Success: New Password has been set

Uli60

2011-07-06 21:05

updater   ~0002098

Last edited: 2011-07-06 21:41

only suggested text adjustments
if modifications in text
 its position is /includes/account.php l.1281 ff.

the password change routine is not a script to next script workflow procedure
(eg id=14 -> oldid=14 -> next id=15)
instead the pwchange handling refers to the central monster script /includes/account.php (117 Kb)
to prevent problems with the id workflow, the process should end with either success or failure. So the existing workflow should not be changed.

Uli60

2011-07-06 21:35

updater   ~0002099

/includes/account.php l.1281 ff.
added "Success" or "Failure" lines to report result text page

NEOatNHNG

2011-07-12 22:11

administrator   ~0002118

Reviewed and added modified version to test server. Needs testing and second review.

Uli60

2011-07-13 21:18

updater   ~0002128

My Details - Change Password
old pwd
new pwd aaaa
update passphrase
Failure: Password not Changed (strong, red on white)
The Pass Phrase you submitted was too short. (black on white)
=> ok

My Details - Change Password
old pwd
new pwd
update passphrase
Password Changed Successfully (strong, black on white)
Your Pass Phrase has been updated and your primary email account has been notified of the change. (black on white)
=> ok

INOPIAE

2011-07-23 05:22

updater   ~0002181

My Details - Change Password
old pwd
new pwd aaaa or 111111111111
update passphrase
Failure: Password not Changed (strong, red on white)
The Pass Phrase you submitted was too short. (black on white) or The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored 1 points out of 6.
=> ok
Used different no allowed passwords. The behavior always was as designed.

My Details - Change Password
old pwd
new pwd
update passphrase
Password Changed Successfully (strong, black on white)
Your Pass Phrase has been updated and your primary email account has been notified of the change. (black on white)
=> ok

Uli60

2011-08-02 22:09

updater   ~0002256

needs review & deploy

egal

2011-08-02 22:20

administrator   ~0002260

Changes are correct after changing Password to Pass Phrase

Uli60

2011-08-02 22:34

updater   ~0002264

Last edited: 2011-08-02 22:34

reviewed by dirk and .. neo

NEOatNHNG

2011-08-02 23:04

administrator   ~0002270

Mail sent to critical admins

wytze

2011-08-03 10:18

developer   ~0002278

Patch applied to production system on August 3, 2011. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2011-08/msg00005.html

Werner Dworak

2012-12-21 05:17

updater   ~0003520

More than 3 month fixed and no complaints

Issue History

Date Modified Username Field Change
2011-06-21 22:40 INOPIAE New Issue
2011-06-21 22:41 INOPIAE Relationship added related to 0000637
2011-07-06 20:42 Uli60 Note Added: 0002095
2011-07-06 20:53 Uli60 Note Added: 0002096
2011-07-06 20:53 Uli60 Status new => solved?
2011-07-06 20:53 Uli60 Resolution open => no change required
2011-07-06 20:58 Uli60 Assigned To => Uli60
2011-07-06 20:58 Uli60 Status solved? => needs feedback
2011-07-06 20:58 Uli60 Resolution no change required => reopened
2011-07-06 21:01 Uli60 Note Edited: 0002096
2011-07-06 21:05 Uli60 Note Added: 0002098
2011-07-06 21:05 Uli60 Priority normal => low
2011-07-06 21:05 Uli60 Status needs feedback => needs work
2011-07-06 21:05 Uli60 Resolution reopened => no change required
2011-07-06 21:19 Uli60 Note Edited: 0002098
2011-07-06 21:32 Uli60 File Added: account.php
2011-07-06 21:35 Uli60 Note Added: 0002099
2011-07-06 21:35 Uli60 Status needs work => fix available
2011-07-06 21:41 Uli60 Note Edited: 0002098
2011-07-12 21:55 NEOatNHNG Source_changeset_attached => cacert-devel master f1178340
2011-07-12 21:55 NEOatNHNG Source_changeset_attached => cacert-devel master 5bb9baba
2011-07-12 22:05 NEOatNHNG Source_changeset_attached => cacert-devel master d1b2d6f7
2011-07-12 22:05 NEOatNHNG Source_changeset_attached => cacert-devel master a759a1fa
2011-07-12 22:11 NEOatNHNG Note Added: 0002118
2011-07-12 22:11 NEOatNHNG Status fix available => needs review & testing
2011-07-12 22:11 NEOatNHNG Reviewed by => NEOatNHNG
2011-07-13 21:18 Uli60 Note Added: 0002128
2011-07-23 05:22 INOPIAE Note Added: 0002181
2011-08-02 21:55 NEOatNHNG Source_changeset_attached => cacert-devel master e96468cb
2011-08-02 21:55 NEOatNHNG Source_changeset_attached => cacert-devel master 14276ff9
2011-08-02 22:09 Uli60 Note Added: 0002256
2011-08-02 22:09 Uli60 Status needs review & testing => needs review
2011-08-02 22:20 egal Note Added: 0002260
2011-08-02 22:34 Uli60 Note Added: 0002264
2011-08-02 22:34 Uli60 Status needs review => ready to deploy
2011-08-02 22:34 Uli60 Note Edited: 0002264
2011-08-02 22:35 egal Reviewed by NEOatNHNG => dastrath, NEOatNHNG
2011-08-02 23:04 NEOatNHNG Note Added: 0002270
2011-08-03 10:18 wytze Note Added: 0002278
2011-08-03 10:18 wytze Status ready to deploy => solved?
2011-11-20 01:05 NEOatNHNG Source_changeset_attached => cacert-devel release ad68d81c
2012-12-21 05:17 Werner Dworak Note Added: 0003520
2012-12-21 05:17 Werner Dworak Status solved? => closed
2013-01-15 17:23 Werner Dworak Fixed in Version => 2011 Q3