View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
15767Bug reportsUser / Groups / Rolespublic2020-01-24 11:392020-02-17 11:22
Reporterpstelling Assigned ToLimeBot  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version4.0.0-RC4 
Target Version4.0.x 
Summary15767: Users (super admin user) could change pw using massive action
Description

In the "User Management panel" you have the possibility to change password of every user (including the user who is logged in) by massive action at once.

In the worse case this could mean, nobody could log in anymore when not getting an email.
Normally an email is always send to the users selected by massive action when using the functionality of changing passwords.

But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db).

Maybe it could be a good idea to exclude the user who is logged in and the super admin for this massive action?

Steps To Reproduce

BE CAREFUL (when reproducing it, you'll have to do the installation again)
Here i'm just reporting how it happend!

(1) Log in as super admin user (having a wrong/unknown email address saved)
(2) go to Manage Survey Administrator
(3) select all users in the Gridview and use the massive action "Resend login data"

A random password will be saved in database and the email with that new password will never arrive...

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)Version 4.0.0-RC14
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql
Server OS (if known)
Webserver software & version (if known)
PHP Version7.2

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2020-02-07 18:32

developer   ~55812

But what will happen, if those emails (with a randomized password) could not be send or not be read for some reason? Nobody could ever log in again and installation process has to be done again (loosing the actual data in the db).

3 solutions

  1. Use CLI php application/commands/console.php resetpassword
  2. https://gitlab.com/SondagesPro/coreAndTools/ResetPasswordController
  3. DB updateUPDATE lime_users SET password = 0x35653838343839386461323830343731353164306535366638646336323932373733363033643064366161626264643632613131656637323164313534326438 WHERE uid =1;

See https://manual.limesurvey.org/General_FAQ#I_forgot_my_admin_password._How_do_I_reset_it.3F
LimeBot

LimeBot

2020-02-14 11:47

administrator   ~56012

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29561
lime_release_bot

lime_release_bot

2020-02-17 11:22

administrator   ~56052

Fixed in Release 4.1.5+200217

Related Changesets

LimeSurvey: master 8eedb507

2020-02-07 13:22:36

LimeBot

Details Diff 		Fixed issue 15767: Users (super admin user) could change pw using massive action Affected Issues
15767
mod - application/controllers/admin/UserManagement.php Diff File
mod - application/models/User.php Diff File

Issue History

Date Modified Username Field Change
2020-01-24 11:39 pstelling New Issue
2020-01-24 11:39 pstelling Status new => assigned
2020-01-24 11:39 pstelling Assigned To => cdorin
2020-02-07 13:25 LimeBot Assigned To cdorin => LimeBot
2020-02-07 13:25 LimeBot Status assigned => ready for testing
2020-02-07 18:32 DenisChenu Note Added: 55812
2020-02-14 11:47 LimeBot Changeset attached => LimeSurvey master 8eedb507
2020-02-14 11:47 LimeBot Note Added: 56012
2020-02-14 11:47 LimeBot Resolution open => fixed
2020-02-17 10:19 LimeBot Status ready for testing => resolved
2020-02-17 11:22 lime_release_bot Note Added: 56052
2020-02-17 11:22 lime_release_bot Status resolved => closed