15767: Users (super admin user) could change pw using massive action

ID	Project	Category	View Status	Date Submitted	Last Update

15767	Bug reports	User / Groups / Roles	public	2020-01-24 11:39	2020-02-17 11:22

Reporter	pstelling	Assigned To	eddylackmann
Priority	none	Severity	minor
Status	closed	Resolution	fixed
Product Version	4.0.0-RC4
Target Version	4.0.x

Summary	15767: Users (super admin user) could change pw using massive action
Description	In the "User Management panel" you have the possibility to change password of every user (including the user who is logged in) by massive action at once. In the worse case this could mean, nobody could log in anymore when not getting an email. Normally an email is always send to the users selected by massive action when using the functionality of changing passwords. But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db). Maybe it could be a good idea to exclude the user who is logged in and the super admin for this massive action?
Steps To Reproduce	BE CAREFUL (when reproducing it, you'll have to do the installation again) Here i'm just reporting how it happend! (1) Log in as super admin user (having a wrong/unknown email address saved) (2) go to Manage Survey Administrator (3) select all users in the Gridview and use the massive action "Resend login data" A random password will be saved in database and the email with that new password will never arrive...
Tags	No tags attached.

Complete LimeSurvey version number (& build)	Version 4.0.0-RC14
I will donate to the project if issue is resolved	No
Browser
Database & DB-Version	mysql
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.2

DenisChenu 2020-02-07 18:32 developer ~55812	But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db). 3 solutions Use CLI `php application/commands/console.php resetpassword` https://gitlab.com/SondagesPro/coreAndTools/ResetPasswordController DB update`UPDATE lime_users SET password = 0x35653838343839386461323830343731353164306535366638646336323932373733363033643064366161626264643632613131656637323164313534326438 WHERE uid =1;` See https://manual.limesurvey.org/General_FAQ#I_forgot_my_admin_password._How_do_I_reset_it.3F

eddylackmann 2020-02-14 11:47 administrator ~56012	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29561

lime_release_bot 2020-02-17 11:22 administrator ~56052	Fixed in Release 4.1.5+200217

LimeSurvey: master 8eedb507 2020-02-07 13:22:36 eddylackmann Details Diff	Fixed issue 15767: Users (super admin user) could change pw using massive action	Affected Issues 15767
	mod - application/controllers/admin/UserManagement.php	Diff File
	mod - application/models/User.php	Diff File

Date Modified	Username	Field	Change
2020-01-24 11:39	pstelling	New Issue
2020-01-24 11:39	pstelling	Status	new => assigned
2020-01-24 11:39	pstelling	Assigned To	=> cdorin
2020-02-07 13:25	eddylackmann	Assigned To	cdorin => eddylackmann
2020-02-07 13:25	eddylackmann	Status	assigned => testing
2020-02-07 18:32	DenisChenu	Note Added: 55812
2020-02-14 11:47	eddylackmann	Changeset attached	=> LimeSurvey master 8eedb507
2020-02-14 11:47	eddylackmann	Note Added: 56012
2020-02-14 11:47	eddylackmann	Resolution	open => fixed
2020-02-17 10:19	eddylackmann	Status	testing => resolved
2020-02-17 11:22	lime_release_bot	Note Added: 56052
2020-02-17 11:22	lime_release_bot	Status	resolved => closed

View Issue Details

Activities

Related Changesets

Issue History