KARL3

KarlAdmin should not change KarlStaff password

Bug #426385 reported by Jason Lantz on 2009-09-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	Medium	Chris Rossi	KARL3 m31

Bug Description

Problem
========

Since the new user administration functionality went into the system, a user with the KarlAdmin role is unable to change their password correctly. In the OSI system, all password changes are routed through a change password form in GSA, our staff administrator application. The GSA change password page also sets the user's password in other internal OSI apps.

When a KarlAdmin user edits their own profile, the paragraph at the top that contains the link to change password is not shown so there is no way to get to the proper change password process. There is, however, a form field to change the password. This form field is confusing as changing the password there would cause the user's password to be out of sync with the other OSI apps. Since this is for admins only and there are only a few, we can educate around that problem, but having the link to change password properly still displayed is important.

Solution
===========

- If this is OSI, and not one of the partners, and...

- If you are on the admin_edit_profile.html screen, and....

- You are editing someone's profile that is KarlStaff (for example, but not limited to, your own profile), then....

- Replace the two password change fields with a something explaining this combination of circumstances, and the link you describe to the proper change password facility.

See original description

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-09-08:

Can you test this on staging and see if it is also buggy there? It's possible that we can get this fixed for free, simply by the workflow-security work that is about to land.

Changed in karl3:
assignee:	nobody → Jason Lantz (jasontlantz)
importance:	Undecided → Medium
milestone:	none → m31

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-09-08:

Ahh, I see, this isn't an issue about getting a Forbidden.

Jason, the cause of this is because the "Edit" action sends you to admin_edit_profile.html. edit_profile.html is still there.

I guess the right solution in this case is to detect:

- If this is OSI, and not one of the partners, and...

- If you are on the admin_edit_profile.html screen, and....

- You are editing someone's profile that is KarlStaff (for example, but not limited to, your own profile), then....

- Replace the two password change fields with a something explaining this combination of circumstances, and the link you describe to the proper change password facility.

Jason, re-assigning to you to see if that sounds ok.

Revision history for this message

Jason Lantz (jasontlantz) wrote on 2009-09-08:

The resolution of replacing the password fields with the link for OSI sounds like the right thing to do. This would prevent the case of an admin accidentally setting a staff user's password in KARL causing it to be out of sync with the other OSI applications. Re-assigning back to Paul.

Changed in karl3:
assignee:	Jason Lantz (jasontlantz) → Paul Everitt (paul-agendaless)

Paul Everitt (paul-agendaless) on 2009-09-08

description:	updated
summary:	- KarlAdmin cannot change password + KarlAdmin should not change KarlStaff password

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2009-09-08:

Thanks for the fast turnaround Jason on proposed change. Assigning to Chris.

Changed in karl3:
assignee:	Paul Everitt (paul-agendaless) → Chris Rossi (chris-archimedeanco)

Revision history for this message

Chris Rossi (chris-archimedeanco) wrote on 2009-09-09:

This makes perfect sense as long as you're changing your own password. Because the 'admin_edit_profile' view can be used by admins to edit other users, it's not clear to me what the URL for OSI should be in that case. Is the change password URL provided by OSI capable of letting admins change other user's passwords? Should we use a different url for that? Or just hide the password fields?

Revision history for this message

Chris Rossi (chris-archimedeanco) wrote on 2009-09-09:

Ok, here's what I did (for OSI only):

If you are KarlStaff editing your own profile you see the same message that is on the edit_profile view which contains a link to change your password.

If you are editing another user who is KarlStaff you will also see a link to change that user's password. (I'm not sure if this link will work if it's for a user you are not. If it doesn't let me know and we'll do something else.)

If user being edited is not KarlStaff behavior is same as before.

Changed in karl3:
status:	New → Fix Committed

Revision history for this message

JimPGlenn (jpglenn09) wrote on 2010-02-17:

fixed

Changed in karl3:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.