Ticket #1630 (closed Bug: fixed)

Opened 5 years ago

GRUF group memberships reset after password change

Reported by: DannyB Assigned to:
Priority: critical Milestone: Past
Component: Unknown Keywords:
Cc:

Description

When a member changes his password, his group memberships are reset.

Create a new group in ZMI called Test. Give Test the role Manager. Go to plone and add yourself as a new user. Log out again. In ZMI go to this new user and remove his Member role and make him a member of the group Test. He will now have the inherited role of Manager. Go to the portal again and log-in as this new user. Change the password and then log-out again. Go to ZMI and go this new user. His membership for the group Test is gone! He will have the explicit role of Manager. I also have seen that he has no roles at all or simply the Member role. In any way, this is a very serious issue.

Change History

09/24/03 10:41:00 changed by panjunyong

I have the problem too. It is because of GroupUserFolder.

Here is our solution:

method changePassword in Products.GroupUserFolder.GRUFUser.GRUFUser should be:

def changePassword(self, password):

"""Set the user's password""" # don't spam the user's roles with group roles and Authenticaed roles = self._original_roles roles = filter(lambda x: x not in ('Authenticated', 'Shared', 'Anonymous'), roles)

# set the profile on the user folder self.userFolderEditUser(

self.getUserName(), password, roles, self.getDomains(), )

09/24/03 18:18:00 changed by jccooper

I agree with the patch. The comment, in fact, is wrong: the user must be given group roles, or else they go away as indicated in the bug.

One might use 'getRoles' instead, except that this would filter out invalid group roles, which I don't think it's the place of password changes to do. (Should membership in a group come back if that group is removed and re-created? I don't know, but we don't solve that here.)

I have applied the fix to GRUF almost as is (save for changing the comments.)

Thanks to both the reporter and patcher. Good work!

10/14/03 12:12:00 changed by brentmh

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in the latest version of GRUF

05/11/05 08:53:00 changed by Anonymous User

I have Plone 2.0.5 and GRUF 2.0.1 if i have a user in a group and i reset his password from user administration plone's interface, i get new password emailed to the user but the user is no more in the group and i have to put him again into the group.

my method changePassword in Products.GroupUserFolder.GRUFUser.GRUFUser contains:

security.declarePrivate('changePassword')

def changePassword(self, password):

"""Set the user's password""" # don't spam the user's roles with special roles roles = self._original_roles # we must keep group roles roles = filter(lambda x: x not in ('Authenticated', 'Shared', 'Anonymous'), roles)

# set the profile on the user folder self.userFolderEditUser(

self.getUserName(), password, roles, self.getDomains(), )

What should i do?