Closed
Bug 1035375
Opened 11 years ago
Closed 10 years ago
Accounts with no password can't reset their password
Categories
(addons.mozilla.org Graveyard :: Code Quality, defect, P3)
addons.mozilla.org Graveyard
Code Quality
Tracking
(Not tracked)
RESOLVED
FIXED
2015-01
People
(Reporter: clouserw, Assigned: davidbgk)
References
Details
(Whiteboard: [qa-])
Back when our db was shared with the Marketplace, people would log in with Persona so the row in our users table would be made with a blank password.
If people then try to log in to AMO there is no password so it fails. If they try to reset the password, the password reset email isn't sent because the password is invalid and django thinks it can't reset it.
I've fixed this for individuals by just setting a password for them and then asking them to re-request the password reset email. We should set passwords for any users with blank passwords so they are able to reset their own passwords.
mysql> select count(*) from users where password="";
+----------+
| count(*) |
+----------+
| 156824 |
+----------+
1 row in set (2.38 sec)
|
Assignee | |
Comment 1•11 years ago
|
||
Is it an option to delete these accounts instead? It will solve the current login issue by creating a new account if necessary. If accounts were only in use for mkt, there should not be any data linked to these account in amo. Thoughts?
Assignee: nobody → david
|
Reporter | |
Comment 2•11 years ago
|
||
That would be fine as long as the accounts don't have anything associated with them (add-ons, reviews, collections, etc.). In theory, they shouldn't, but we should verify.
|
|
Assignee | |
Comment 3•11 years ago
|
||
It has to be done once the data from mkt is removed, otherwise it'll be harder to verify if some data is associated with these users.
|
|
Reporter | |
Updated•11 years ago
|
Target Milestone: 2014-08 → 2014-09
|
||
Comment 5•11 years ago
|
||
I'm coming from bug 1035232 with the account mozilla-extensions@kewis.ch. I don't know if my password is empty for some reason, but I'm not getting any reset emails. My password used to be non-empty at least. I'd appreciate if you could do something to my account so I can access it again.
|
|
Assignee | |
Comment 6•11 years ago
|
||
Philipp: your account do have a password set so you're probably not affected by that bug. Can you try again the password reset email? If that is still failing, let's resolve that on IRC.
Could you please check if the password of my account (AMO username: convert2mp3_net) is empty?
There should be a password because the login worked fine before the 8 characters validation have been introduced, but I am also not getting any reset emails.
A new account from the same domain is getting the reset mail.
|
|
Reporter | |
Comment 8•11 years ago
|
||
You both have passwords. If you can get on IRC I can help debug. #amo on irc.mozilla.org.
|
|
Reporter | |
Comment 9•11 years ago
|
||
Philipp has access now. His account was on the suppression list in socketlabs so it wasn't delivering to him (too many failures to his address). For the record, unrelated to comment 0, but happy to have it fixed. :)
|
|
Reporter | |
Updated•11 years ago
|
Target Milestone: 2014-09 → 2014-10
|
||
Comment 10•11 years ago
|
||
I think I may be affected by this bug. I can't log into AMO or reset my password using francois@mozilla.com
|
|
||
Comment 11•11 years ago
|
||
Thanks to Wil, I now have access to my AMO account.
|
|
Assignee | |
Comment 12•11 years ago
|
||
I'm concerned that the last_login for these users is anterior to 2014-04-02 BUT when I check the last_login_attempt I can see that there are a lot of attempts from these users (about 5/10 per day these last days for instance). Query against prod:
mysql> select id,username,last_login,last_login_attempt from users where password="" order by last_login_attempt desc limit 100;
It looks more critical than it previously seemed to me given that we're annoying many active users. Do you confirm Wil?
Flags: needinfo?(clouserw)
|
|
Reporter | |
Comment 13•11 years ago
|
||
(In reply to David Larlet [:davidbgk] from comment #12)
> I'm concerned that the last_login for these users is anterior to 2014-04-02
> BUT when I check the last_login_attempt I can see that there are a lot of
> attempts from these users (about 5/10 per day these last days for instance).
> Query against prod:
>
> mysql> select id,username,last_login,last_login_attempt from users where
> password="" order by last_login_attempt desc limit 100;
>
> It looks more critical than it previously seemed to me given that we're
> annoying many active users. Do you confirm Wil?
I think the solution in comment 1 is still the right one. We could also just set a password for anyone with a blank password and then they'd be able to reset it themselves.
A p2 would be fine, but either change is pretty quick.
Flags: needinfo?(clouserw)
|
|
Assignee | |
Comment 14•11 years ago
|
||
I'm afraid about deleting users with related data:
mysql> select count(*) from addons_users where user_id in (select id from users where password="");
+----------+
| count(*) |
+----------+
| 4203 |
+----------+
1 row in set (1.17 sec)
mysql> select count(*) from personas where author in (select username from users where password="");
+----------+
| count(*) |
+----------+
| 567 |
+----------+
1 row in set (3.86 sec)
I'll go for a random password for all these users.
|
|
Reporter | |
Comment 15•11 years ago
|
||
works for me. Thanks - this will solve a lot of one-off bugs and frustration from users.
|
|
Assignee | |
Comment 16•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
Whiteboard: [qa-]
Target Milestone: 2014-10 → 2015-01
|
||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•