Closed Bug 98818 Opened 23 years ago Closed 22 years ago

Should not require password to change Real Name

Categories

(Bugzilla :: User Accounts, defect, P1)

Product:
Bugzilla
Component:
User Accounts
Version:
2.13
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: caillon, Assigned: caillon)

References

Details

(Keywords: regression)

Attachments

(1 file)

screenshot from userprefs.cgi with the patch from bug 23067 applied
101.71 KB, image/jpeg
Details 
Recently, you have been required to enter your password to change your real name
in your user account.

This did not occur in the past, and I don't know exactly when it occured:
sometime between 2.12 and 2.14 though.

It does not make sense to ask for a password here but not for more critical
tasks such as tweakparams or editgroups.  Changing a realname leaves no damage
in the database. If someone changes it, you can just change it back. 
Tweakparams and editgroups can leave damage though.  I'm filing a separate bug
about a param to require users to enter a password before tweaking params or
editing groups.
Filed bug 98819 for the global param for requiring passwords on editing global
aspects of bugzilla.

Also setting regression keyword.
Keywords: regression
justdave said:

<justdave> re: password to change names, that may be caused by the patch to
prevent it from making you authenticate twice when you change your password.
<justdave> when you change you password, it makes you enter the old password and
your new password twice on the form...
<justdave> after doing that, if you have cookies off, it makes you authenticate
again.
<justdave> the catch is, you have to authenticate with your OLD password, not
the new one
<justdave> once you do that, it resets your password, and then you have to
authenticate AGAIN because your cookie is no longer valid because the password
doesn't match
<justdave> that was solved by renaming the old password field to
Bugzilla_password and embedding your login name as Bugzilla_login in a hidden
element on the page.
<justdave> this then makes the cgi think you just logged in when you submit the
form and it doesn't make you authenticate again.
<justdave> unfortunately, since the name change is on the same form, if all you
want to do is change your name, if you leave the old password blank, it thinks
you just tried to log in without a password
<justdave> and it'll tell you you had an invalid login, and press back to try again.
<justdave> I think the solution here will be to put the password change on a
pane all by itself
<justdave> move the name change to a different panel.
<justdave> (probably the same one that lets you change your email address, which
we're adding in the near future)
<justdave> the same trick could be used on the params and groups pages to force
you to log in...
<justdave> put a hidden Bugzilla_login in the form, and make a password field
with Bugzilla_password
<justdave> just answer no to all the optional stuff
<justdave> I'm about to hit the sack here... and I don't have an easy way to
copy the above from XWindows to Aqua to get it to my browser.
<justdave> would someone mind pasting the above into the bug caillon just posted?
<justdave> (about the password to change your name)
Just for reference, this was caused by the fix to bug 45918, checked in on Jun
19 15:02.  Changing the version to 2.13 to reflect when this problem first occured.
Version: 2.15 → 2.13
Can't it just interpret a blank password as no change?
No, because it's not trying to change the password at that point, it's trying to
log you in.  We'd have to change confirm_login() to accept a blank password as
valid, and that's not a good idea. :)
Actually, we should be able to fix this by calling quietly_check_login() at the
top of the confirm_login() sub, rather than in the middle of it.  Then, if we
have a valid login already, we'll just return true.  If not, we'll start running
through the part where it checks if the bugzilla_login/password fields are present.
Hmmm....  is there any reason that confirm_login doesn't call
quietly_check_login first before looking for form values?  It calls
quietly_check_login to get the cookie if form fields aren't present.  Maybe we
should just fix confirm_login.  Although I suppose this would screw up people
who have more than one account and use bookmarks to switch between them without
logging off first...
> Although I suppose this would screw up people who 
> have more than one account and use bookmarks to 
> switch between them without logging off first...

How many people actually do this?  I have two accounts but I use different
profiles to go between them.  Yes, at the moment it is a pain to switch between
them.  But have a look at bug 97622....

I think separation makes sense in any case.  We're going to want to add email
address to real name.
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.16
We are currently trying to wrap up Bugzilla 2.16.  We are now close enough to
release time that anything that wasn't already ranked at P1 isn't going to make
the cut.  Thus this is being retargetted at 2.18.  If you strongly disagree with
this retargetting, please comment, however, be aware that we only have about 2
weeks left to review and test anything at this point, and we intend to devote
this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Regression.  Dave OK'd moving this back to 2.16.

The solution will be to move the Real Name stuff to wherever the "Change Email
Account" stuff is (bug 23067).  Adding dependency and re-assigning to dave since
he is working on 23067 - both of these most likely should get done at the same time.
Assignee: myk → justdave
Depends on: 23067
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Adding nsbeta1 keyword to all regressions so they *get some love* and attention.
Keywords: nsbeta1
Bugzilla bugs are by definition not nsbeta1 :-)
Keywords: nsbeta1
doh! i may have been over zealous in my desire to capture all regressions. :-)
This is fixed in the userprefs.cgi templatisation patch over in bug 117060.

Gerv
Depends on: 117060
No longer depends on: 23067
Whiteboard: [blocker will fix]
Bug 117060 is in.  Was decided not to make this fix part of that bug.

After re-reviewing the circumstances, I think the best option is probably to
move the name (and probably email) to its own tab.  That would probably satisfy
bug 128158 as well.
Whiteboard: [blocker will fix]
If we're not going to fix this for 2.16 (which seems likely, given comments),
can we at least change it so that you don't need to change your pw to change
your real name?

ie change:

    if ($::FORM{'Bugzilla_password'} ne "" || 
        $::FORM{'new_password1'} ne "" || 
        $::FORM{'new_password2'} ne "") 
to:

    if ($::FORM{'Bugzilla_password'} ne "" && 
        ($::FORM{'new_password1'} ne "" || 
         $::FORM{'new_password2'} ne "")) 

This will then silently fail if someone wants to change their password to the
empty string, though.
If Bugzilla_password exists, confirm_login() will cut you off before you ever
make it to that code.
Oops - forgot that.

No patch, -> 2.18
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Bah, if it needs a patch to be considered, then since nobody is stepping up, I
will.  This regression sucks.  There's no way we should ship without it IMO.

->Back to 2.16
Assignee: justdave → caillon
Priority: P3 → P1
Status: NEW → ASSIGNED
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Please wait until after bug 23067 is checked in before you touch this. 
Personally I like the way it looks with the patch on bug 23067 applied.  I'm
tempted to WONTFIX this with that in mind (but if people really care that much
maybe we can do something about it anyway).  Check out the screenshot I just
attached.
I'm happy to wontfix this - the new interface is clear, really.

If we want to discuss whether changing the real name should require the passwd
at all, then I don't think that that is a 2.16 bug, unless someone has a patch.
3's a quorum.

Gerv
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
removing target on DUPL/WONTFIX (so they'll show up as untriaged if reopened)
Target Milestone: Bugzilla 2.16 → ---
QA Contact: matty_is_a_geek → default-qa
_reopen suggestion_

I am not able to change my Real Name since I created this account via Persona and I don't have any bugzilla password.
(In reply to Peter Hozak from comment #25)
> _reopen suggestion_
> 
> I am not able to change my Real Name since I created this account via
> Persona and I don't have any bugzilla password.

huh.. looks like it did change my Real Name, even if it complained that old password does not match.. nevermind
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: