portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: UpdateAccount Save Password Bug Fix
Date Sun, 29 Apr 2001 12:03:21 GMT
Turpin, Jay wrote:

> This is a resend. Seems like the mailing list was down for a while yesterday
> and I'm not sure if this was received properly.
> 
> I believe I have fixed a bug in the Edit Account/UpdateAccount code.
> 
> Scenario: 
> * Login into Jetspeed using Turbine/Turbine. 
> * Navigate to Edit Account page. 
> * Change password and press Update Account. 
> * Look in the database (using your favorite db browser) and verify that
> password changed.
> * Logout of Jetspeed
> * Login using new password - it will fail
> * Look in database again, password is the original one again.
> 
> The problem seems to be this:
> * UpdateAccount saves the changes to the database, the TurbineUser object
> and a permanent storage HashTable in the TurbineUser Object. 
> * However, the password is only saved to the database and the HashTable, not
> the TurbineUser object
> * When the user logs out, an object somewhere (no sure where) takes the data
> from the TurbineUser object and saves it to the database again, overwriting
> the new password with the old one.
> 
> The fix:
> Make the following change to the
> jakarta-jetspeed/src/java/org/apache/jetspeed/modules/actionsUpdateAccount.j
> ava file (around line 208):
> 
> 	// update currently logged in information that might have changed
> 	data.getUser().setPerm(TurbineUserPeer.FIRST_NAME, firstname);
> 	data.getUser().setPerm(TurbineUserPeer.LAST_NAME, lastname);
> 	data.getUser().setPerm(TurbineUserPeer.EMAIL, email);
> 	// Old code - doesn't save password after logout
> 	// if ( changepass ) 
> 	//	data.getUser().setPerm(TurbineUserPeer.PASSWORD, password);
> 
> 	if ( changepass ) {
> 		data.getUser().setPerm(TurbineUserPeer.PASSWORD, password);
> 		// Save to TurbineUser object as well
> 		data.getUser().setPassword(password);
> 	}
> 
> Regards,
> Jay Turpin
> Intel Corporation
> 

Committed in CVS. For other patches, it is much better if you can send 
unix differences (cvs diff -u) as an attachment.

It is faster to evaluate and also faster to apply.

If I understand correctly, the reason was that the "instantiated" object 
had the old value, and overwrote the new one upon logout or session 
expiration. Difficult to track :) A nice job finding this one.


> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message