Description
When logged in as a general user, it is possible to change other account's password! (UserPreferences)
Steps to reproduce
- Create a user named "mike"
- Create another user named "eric"
- Log in as user "eric"
Go to page "UserPreferences"
- Select user "mike" and type any password in fields "Password" and "Password repeat"
- Press "Save" and now the password of user "mike" is changed!!
- Note: Log in as user "mike" is OK and as user "eric" will fail.
Example
Component selection
Details
MoinMoin Version |
1.6.1, 1.6.2 (1.7dev as well) |
OS and Version |
Linux (Windows) |
Python Version |
2.5.2 |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
English |
Workaround
The problem should be userform.py line 224-226
Discussion
Sounds like a DesktopEdition setup used not as PIM or am I wrong?
I do refer to your description of Select User. DesktopEdition is only for your personal use. It has relaxed security settings for that reason. If you like to use it with more users you have to configure wikiconfig.py different. -- ReimarBauer 2008-04-17 07:07:13
Your bug description needs more details:
- Who is superuser, who is not?
Do you have DesktopEdition = True in your wiki config?
- What buttons do you click exactly?
- What exactly means "fail"?
I could not reproduce the problem on a current 1.6.
-- ThomasWaldmann 2008-04-17 07:12:06
I have reproduced this problem on 1.6.1 and 1.6.2 for Standalone mode (ActivePython 2.5.1 on Windows XP, and Python 2.5.2 on Ubuntu 8.04) and CGI mode on Apache 2 (Python 2.5.2 on Ubuntu 8.04).
In the wikiconfig.py, none user is superuser, moreover, DesktopEdition set to False.
However, the procedures should be correct to: (moin 1.6.2, ActivePython 2.5.2, DesktopEdition=False)
Create a user named eric with pw1 (earlier created user, pw# is the abbreviation of your password)
Create a user named milk with pw2 (later created user)
Log in as milk (IMPORTANT: please use the LATER created user)
- Go to Preference page
Type eric in the Name field, and type pw3 in the Password and Password repeat field. After that, press Enter or click Save button to submit the changes. Then the moin responds User preferences saved! (in moin 1.6) instead of This user name already belongs to somebody else. (in moin 1.5).
When I have done, I cannot login as milk anymore with pw2 or pw3.
However, at this time, the password of eric is pw3.
I’ve traced the userform.py, in the line 225, theuser.name and self.request.user.name have the same value eric, for example. However, in moin 1.5, the theuser.name is eric and the self.request.user.name is milk.
-- JZ 2025-01-29 19:47:09
Note: a 2nd userprofile with different numerical userid, but same name (eric) is created. The original username (milk) is gone.
Note: http://hg.moinmo.in/moin/1.6/rev/6be19b7e611b - as theuser == request.user after that change, the code checking the username change gets pointless.
Please test userform patch for current 1.6.
- create and save uses request.user - this is always the currently active user (same user as we use for displaying the profile data in the userprefs form)
- if the superuser uses "su otheruser", request.user will be "otheruser" (so we modify the right user object with the form data)
- it first checks name and email for uniqueness/validity and only if OK assigns the form values to the user object
- new: the create form calls moin_session so the user does not have to do the login manually after creating his profile
-- ThomasWaldmann 2008-04-19 23:55:31
Plan
- Priority: high
Assigned to: ThomasWaldmann
- Status:
I've fixed the 1.7 bug (http://hg.moinmo.in/moin/1.7/rev/3fc77153629a) but the 1.6 version is harder because that code is multi-purpose. -- JohannesBerg 2008-04-19 09:17:33
fixed in 1.6 by http://hg.moinmo.in/moin/1.6/rev/f405012e67af (and afterwards released as 1.6.3)