Forum OpenACS Q&A: User cannot change password

Collapse
Posted by Peter Alberer on

I found that a user cannot change her password cause she has no admin rights on herself (would have "write" perm).

permission::require_permission -party_id $user_id -object_id $user_id -privilege "admin" returns "f" for the user.

Is this correct ?

In addition to that i do not quite understand why the required permission can be "write" / "admin" depending on the existence of the user_id. This has probably something to do with the distinction between password change carried out by a user or an admin for a user ?

Collapse
Posted by Don Baccus on
This is a bug, one I've not seen reported before.  I should think "write" perms should be sufficient but haven't looked at the code.  If you want to explore more deeply and report back, that would be nice.  A bug report and patch, perhaps?

If you've got the time and inclination, that is ...

Collapse
Posted by Peter Alberer on

I looked into the problem a little bit and found out that the current distinction between rights is needed for the admin-changes-user-password functionality.
But it seems as if this functionality has not fully been implemented (especially in the adp part). The whole page logic (for a few pages) does not seem to fit the scenario that one user changes another users password.

I have corrected the situation as far as i could. Now the user can change her password and the admin can change it for her as well. But there are some pages that have to be changed

  • password-update.tcl
  • password-update.adp
  • password-update-2.tcl

I will try to create a patch and upload it to the bug report i filed. (https://openacs.org/sdm/one-baf.tcl?baf_id=1491)

Collapse
Posted by Peter Alberer on
Very funny, looking at the checkout i did during dotlrn installation i found the problem halfway corrected. In the oacs-4-5 tagged checkout there is a complete different solution using ad_require_permission instead of permission::require_permission.
Collapse
Posted by Don Baccus on
This is probably because someone submitted a patch to fix this for 4.5, and the dotLRN folks ran into it and fixed it in old sources.

Do you have time to help straighten out which approach is better?

Collapse
Posted by Yonatan Feldman on
hi don and peter,

i have been the one patching this code, sorry i wasn't aware of this thread
otherwise i would have posted earlier.

the code probably needs a little clean up, i have done some, but nothing
significant.

peter, if you want, lets sync up and figure out what else needs to be done to
make the change password code clean and solid.

Collapse
Posted by Peter Alberer on
I have been looking at both versions and think that there is not much difference as far as functionality is concerned. Yon´s version looks a little bit cleaner to me. (it does not try to accept the old_password as a parameter, which seems unneccessary to me and makes things more complicated)
Collapse
Posted by Andrei Popov on
Any place these changes could bepicked up from?  They sure don't seem to be in nightlies...
Collapse
Posted by Yonatan Feldman on
i fixed yet another bug that was not letting a user change their own
password in certain situations last night. it shoul dbe in the next nightly build
or you can check out from the HEAD.