Closed Bug 98818 Opened 23 years ago Closed 23 years ago

Should not require password to change Real Name

Categories

(Bugzilla :: User Accounts, defect, P1)

2.13
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: caillon, Assigned: caillon)

References

Details

(Keywords: regression)

Attachments

(1 file)

Recently, you have been required to enter your password to change your real name in your user account. This did not occur in the past, and I don't know exactly when it occured: sometime between 2.12 and 2.14 though. It does not make sense to ask for a password here but not for more critical tasks such as tweakparams or editgroups. Changing a realname leaves no damage in the database. If someone changes it, you can just change it back. Tweakparams and editgroups can leave damage though. I'm filing a separate bug about a param to require users to enter a password before tweaking params or editing groups.
Filed bug 98819 for the global param for requiring passwords on editing global aspects of bugzilla. Also setting regression keyword.
Keywords: regression
justdave said: <justdave> re: password to change names, that may be caused by the patch to prevent it from making you authenticate twice when you change your password. <justdave> when you change you password, it makes you enter the old password and your new password twice on the form... <justdave> after doing that, if you have cookies off, it makes you authenticate again. <justdave> the catch is, you have to authenticate with your OLD password, not the new one <justdave> once you do that, it resets your password, and then you have to authenticate AGAIN because your cookie is no longer valid because the password doesn't match <justdave> that was solved by renaming the old password field to Bugzilla_password and embedding your login name as Bugzilla_login in a hidden element on the page. <justdave> this then makes the cgi think you just logged in when you submit the form and it doesn't make you authenticate again. <justdave> unfortunately, since the name change is on the same form, if all you want to do is change your name, if you leave the old password blank, it thinks you just tried to log in without a password <justdave> and it'll tell you you had an invalid login, and press back to try again. <justdave> I think the solution here will be to put the password change on a pane all by itself <justdave> move the name change to a different panel. <justdave> (probably the same one that lets you change your email address, which we're adding in the near future) <justdave> the same trick could be used on the params and groups pages to force you to log in... <justdave> put a hidden Bugzilla_login in the form, and make a password field with Bugzilla_password <justdave> just answer no to all the optional stuff <justdave> I'm about to hit the sack here... and I don't have an easy way to copy the above from XWindows to Aqua to get it to my browser. <justdave> would someone mind pasting the above into the bug caillon just posted? <justdave> (about the password to change your name)
Just for reference, this was caused by the fix to bug 45918, checked in on Jun 19 15:02. Changing the version to 2.13 to reflect when this problem first occured.
Version: 2.15 → 2.13
Can't it just interpret a blank password as no change?
No, because it's not trying to change the password at that point, it's trying to log you in. We'd have to change confirm_login() to accept a blank password as valid, and that's not a good idea. :)
Actually, we should be able to fix this by calling quietly_check_login() at the top of the confirm_login() sub, rather than in the middle of it. Then, if we have a valid login already, we'll just return true. If not, we'll start running through the part where it checks if the bugzilla_login/password fields are present.
Hmmm.... is there any reason that confirm_login doesn't call quietly_check_login first before looking for form values? It calls quietly_check_login to get the cookie if form fields aren't present. Maybe we should just fix confirm_login. Although I suppose this would screw up people who have more than one account and use bookmarks to switch between them without logging off first...
> Although I suppose this would screw up people who > have more than one account and use bookmarks to > switch between them without logging off first... How many people actually do this? I have two accounts but I use different profiles to go between them. Yes, at the moment it is a pain to switch between them. But have a look at bug 97622....
I think separation makes sense in any case. We're going to want to add email address to real name.
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.16
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Regression. Dave OK'd moving this back to 2.16. The solution will be to move the Real Name stuff to wherever the "Change Email Account" stuff is (bug 23067). Adding dependency and re-assigning to dave since he is working on 23067 - both of these most likely should get done at the same time.
Assignee: myk → justdave
Depends on: 23067
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Adding nsbeta1 keyword to all regressions so they *get some love* and attention.
Keywords: nsbeta1
Bugzilla bugs are by definition not nsbeta1 :-)
Keywords: nsbeta1
doh! i may have been over zealous in my desire to capture all regressions. :-)
This is fixed in the userprefs.cgi templatisation patch over in bug 117060. Gerv
Depends on: 117060
No longer depends on: 23067
Whiteboard: [blocker will fix]
Bug 117060 is in. Was decided not to make this fix part of that bug. After re-reviewing the circumstances, I think the best option is probably to move the name (and probably email) to its own tab. That would probably satisfy bug 128158 as well.
Whiteboard: [blocker will fix]
If we're not going to fix this for 2.16 (which seems likely, given comments), can we at least change it so that you don't need to change your pw to change your real name? ie change: if ($::FORM{'Bugzilla_password'} ne "" || $::FORM{'new_password1'} ne "" || $::FORM{'new_password2'} ne "") to: if ($::FORM{'Bugzilla_password'} ne "" && ($::FORM{'new_password1'} ne "" || $::FORM{'new_password2'} ne "")) This will then silently fail if someone wants to change their password to the empty string, though.
If Bugzilla_password exists, confirm_login() will cut you off before you ever make it to that code.
Oops - forgot that. No patch, -> 2.18
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Bah, if it needs a patch to be considered, then since nobody is stepping up, I will. This regression sucks. There's no way we should ship without it IMO. ->Back to 2.16
Assignee: justdave → caillon
Priority: P3 → P1
Status: NEW → ASSIGNED
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Please wait until after bug 23067 is checked in before you touch this. Personally I like the way it looks with the patch on bug 23067 applied. I'm tempted to WONTFIX this with that in mind (but if people really care that much maybe we can do something about it anyway). Check out the screenshot I just attached.
I'm happy to wontfix this - the new interface is clear, really. If we want to discuss whether changing the real name should require the passwd at all, then I don't think that that is a 2.16 bug, unless someone has a patch.
3's a quorum. Gerv
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
removing target on DUPL/WONTFIX (so they'll show up as untriaged if reopened)
Target Milestone: Bugzilla 2.16 → ---
QA Contact: matty_is_a_geek → default-qa
_reopen suggestion_ I am not able to change my Real Name since I created this account via Persona and I don't have any bugzilla password.
(In reply to Peter Hozak from comment #25) > _reopen suggestion_ > > I am not able to change my Real Name since I created this account via > Persona and I don't have any bugzilla password. huh.. looks like it did change my Real Name, even if it complained that old password does not match.. nevermind
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: