OpenStack Dashboard (Horizon)

changing user's email from user list deletes user password

Bug #1468300 reported by Roberto Salgado on 2015-06-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	High	Kuo-tung Kao (jelly)	OpenStack Dashboard (Horizon) 8.0.0 "liberty"
	Kilo	Fix Released	Undecided	Unassigned	OpenStack Dashboard (Horizon) 2015.1.1

Bug Description

OS: Ubuntu Server 14.04.2 LTS
Openstack: Kilo
Openstack-dashboard package: 1:2015.1.0-0ubuntu1~cloud0

robcresswell: Seems to also occur on master as of 2015-06-24

While logged as an admin user in Dashboard (horizon), if you try to change an email address from another user directly on users list , it will change the email address properly but will turn to NULL that user's password.
This behaviour doesn't seem to have effect while changing email address on "Edit" form.

Before changing email address:
> select * from user where name="demo";
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| id | name | extra | password | enabled | domain_id | default_project_id |
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": ""} | $6$rounds=40000$mXk6yBRZo.00pnoU$rRfNvGXVW15gHq8k6p9caT9bDQwIaNgpN29dLE0aR8wSisIN56xvbdbiQRGs/2S6qmIrrKaTUAm3uso8jMIr61 | 1 | default | 7dd667e26b2e4169bb74cf3306eac352 |
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+

After:
> select * from user where name="demo";
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
| id | name | extra | password | enabled | domain_id | default_project_id |
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
| 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": "<email address hidden>"} | NULL | 1 | default | 7dd667e26b2e4169bb74cf3306eac352 |
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+

Due to security: No pass equals can't log in through dashboard also I tried logging in using a CLI without password and it doesn't seem to work. So, I guess it's not a security vulnerability.

See original description

Tags:

Rob Cresswell (robcresswell-deactivatedaccount) on 2015-06-24

Changed in horizon:
status:	New → Confirmed
importance:	Undecided → High

Rob Cresswell (robcresswell-deactivatedaccount) on 2015-06-24

description:

updated

Kuo-tung Kao (jelly) (coding1314) on 2015-06-29

Changed in horizon:
assignee:	nobody → jelly (coding1314)

Revision history for this message

Matthias Runge (mrunge) wrote on 2015-06-29:

reproducible in kilo

tags:

added: kilo-backport-potential

OpenStack Infra (hudson-openstack) on 2015-06-29

Changed in horizon:
status:	Confirmed → In Progress

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-06-29:

I send a patch for the bug.
https://review.openstack.org/#/c/196605/1

Rob Cresswell (robcresswell-deactivatedaccount) on 2015-06-29

Changed in horizon:
milestone:	none → liberty-2

OpenStack Infra (hudson-openstack) on 2015-06-29

Changed in horizon:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-30: Fix proposed to horizon (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/197036

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-02: Fix merged to horizon (stable/kilo)

Reviewed: https://review.openstack.org/197036
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=f0691cf10cc0613e2d346b5777ff3e175550eb9b
Submitter: Jenkins
Branch: stable/kilo

commit f0691cf10cc0613e2d346b5777ff3e175550eb9b
Author: Kuo-tung Kao <email address hidden>
Date: Mon Jun 29 17:47:23 2015 +0800

changing email from user list deletes user passwd

Fix bug for changing user's email from user list deletes user password.
Don't set password to None in update_cell function in user tables.

    Change-Id: I9d96ca2aa806a0398de85c4866900b445eefee05
    Closes-Bug: #1468300
    (cherry picked from commit 0eb16dfa7ef4ec30c6b266c6006f4c4574199702)

tags:

added: in-stable-kilo

Doug Hellmann (doug-hellmann) on 2015-07-28

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in horizon:
milestone:	liberty-2 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.