View Issue Details

IDProjectCategoryView StatusLast Update
15767Bug reportsUser / Groups / Rolespublic2020-02-17 11:22
Reporterpstelling Assigned Toeddylackmann  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version4.0.0-RC4 
Target Version4.0.x 
Summary15767: Users (super admin user) could change pw using massive action
Description

In the "User Management panel" you have the possibility to change password of every user (including the user who is logged in) by massive action at once.

In the worse case this could mean, nobody could log in anymore when not getting an email.
Normally an email is always send to the users selected by massive action when using the functionality of changing passwords.

But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db).

Maybe it could be a good idea to exclude the user who is logged in and the super admin for this massive action?

Steps To Reproduce

BE CAREFUL (when reproducing it, you'll have to do the installation again)
Here i'm just reporting how it happend!

(1) Log in as super admin user (having a wrong/unknown email address saved)
(2) go to Manage Survey Administrator
(3) select all users in the Gridview and use the massive action "Resend login data"

A random password will be saved in database and the email with that new password will never arrive...

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 4.0.0-RC14
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionmysql
Server OS (if known)
Webserver software & version (if known)
PHP Version7.2

Activities

DenisChenu

DenisChenu

2020-02-07 18:32

developer   ~55812

But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db).

3 solutions

  1. Use CLI php application/commands/console.php resetpassword
  2. https://gitlab.com/SondagesPro/coreAndTools/ResetPasswordController
  3. DB updateUPDATE lime_users SET password = 0x35653838343839386461323830343731353164306535366638646336323932373733363033643064366161626264643632613131656637323164313534326438 WHERE uid =1;

See https://manual.limesurvey.org/General_FAQ#I_forgot_my_admin_password._How_do_I_reset_it.3F

eddylackmann

eddylackmann

2020-02-14 11:47

administrator   ~56012

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29561

lime_release_bot

lime_release_bot

2020-02-17 11:22

administrator   ~56052

Fixed in Release 4.1.5+200217

Related Changesets

LimeSurvey: master 8eedb507

2020-02-07 13:22:36

eddylackmann

Details Diff
Fixed issue 15767: Users (super admin user) could change pw using massive action Affected Issues
15767
mod - application/controllers/admin/UserManagement.php Diff File
mod - application/models/User.php Diff File

Issue History

Date Modified Username Field Change
2020-01-24 11:39 pstelling New Issue
2020-01-24 11:39 pstelling Status new => assigned
2020-01-24 11:39 pstelling Assigned To => cdorin
2020-02-07 13:25 eddylackmann Assigned To cdorin => eddylackmann
2020-02-07 13:25 eddylackmann Status assigned => testing
2020-02-07 18:32 DenisChenu Note Added: 55812
2020-02-14 11:47 eddylackmann Changeset attached => LimeSurvey master 8eedb507
2020-02-14 11:47 eddylackmann Note Added: 56012
2020-02-14 11:47 eddylackmann Resolution open => fixed
2020-02-17 10:19 eddylackmann Status testing => resolved
2020-02-17 11:22 lime_release_bot Note Added: 56052
2020-02-17 11:22 lime_release_bot Status resolved => closed