Goobi.Production

save password alert in user administration dialog

Bug #1020941 reported by Matthias Ronge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Goobi.Production
Triaged
Medium
Unassigned
1.8
Triaged
Medium
Unassigned

Bug Description

When, in the “User” page, you click “edit user” and then on the “User groups” link, Firefox alerts and asks if you want to save the password. This is confusing and annoying. When adding a user group, nothing at all happens until you click “close”. In this moment, the dialog to save the password pops up again.

It would be very desirable not to submit the HTML form except when clicking the button “Save”. When clicking an “add” image button in the pop up window, there should be any visible response.

Furthermore, because of the browser considering the user change dialog as a login form, this adds a users credentials to the browser password safe.

See original description

Related branches

lp:~slub.team/goobi-production/bug-1020941
Henning Gerhardt: Disapprove
Matthias Ronge: Pending requested
Diff: 55 lines (+14/-3)
3 files modified
config/messages_de.properties (+1/-0)
config/messages_en.properties (+1/-0)
newpages/BenutzerBearbeiten.jsp (+12/-3)
Revision history for this message
Matthias Ronge (matthias-ronge) wrote :
Ralf Claussnitzer (ralf-claussnitzer-deactivatedaccount)
Changed in goobi-production:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Ralf Claussnitzer (ralf-claussnitzer-deactivatedaccount) wrote :

Modern browsers will offer a password saving dialog on every submit event if the submitted form contains an input field of type password. There is no way to disable this behavior with plain HTML forms. Maybe a separate password changing dialog is a solution.

Revision history for this message
Ralf Claussnitzer (ralf-claussnitzer-deactivatedaccount) wrote :

Some findings:

1. Seems like all browsers (except Opera) skip saving the password if the 'autocomplete="off"' attribute is given for the password field. The currently used JSF implementation unfortunately doesn't allow to specify this attribute.

2. All browsers skip password saving if there is more then one password field.

description: updated
Revision history for this message
Ralf Claussnitzer (ralf-claussnitzer-deactivatedaccount) wrote :

As described in https://code.launchpad.net/~slub.team/goobi-production/bug-1020941/+merge/130669/comments/281772 not all browsers stop saving passwords if there is more than one password field available. The only reasonable way to stop browsers from doing that, is to use the autocomplete attribute. As this is not possible with JSF 1.x standard elements, a custom UIComponentTag renderer has to be developed: http://illegalargumentexception.blogspot.de/2011/11/jsp-arbitrary-attributes-on-jsf.html

summary: - save password alert in firefox
+ save password alert in user administration dialog
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.