Admin users cannot change other user's passwords via UI

Bug #1894727 reported by Mateusz Pawlowski
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Critical
Adam Collard
2.7
Undecided
Victor Tapia
2.8
Undecided
Adam Collard
maas-ui
Fix Released
Unknown

Bug Description

Administrator is unable to change users passwords via UI.

MAAS version: 2.7.3 (8291-g.384e521e6-0ubuntu1~18.04.2)

Steps to reproduce:

1. Login to UI
2. Create user
3. Change user's password
4. Try to login with new password

Workaround:

1. Login to CLI
2. Change password with "maas changepassword <username>" command

Related branches

description: updated
summary: - Users cannot change password
+ Users cannot change password via UI
Victor Tapia (vtapia)
tags: added: sts
tags: added: ui
Changed in maas-ui:
status: Unknown → New
Revision history for this message
Kit Randel (blr) wrote : Re: Users cannot change password via UI

I'm a little sceptical that this has ever worked. Django contrib seems to suggest that correct form for an admin changing a user's password is AdminPasswordChangeForm (https://docs.djangoproject.com/en/1.8/topics/auth/default/#django.contrib.auth.forms.AdminPasswordChangeForm). This doesn't exist in MAAS and user.change_password uses PasswordChangeForm which requires an old password, as is intended for a user to change their own password.

We currently dispatch a websocket request in the following form when editing a user:

{
  method: "user.update"
  params: {
    email: "<email address hidden>"
    id: 30
    is_superuser: false
    last_name: "test user"
    password1: "test"
    password2: "test"
    username: "test"
    request_id: 46
    type: 0
  }
}

"password1" and "password2" are sent, and the response does not error, but presumably these params are discarded.

Revision history for this message
Bill Wear (billwear) wrote :

i have confirmed that this behavior not only occurs with new users, but also when admin changes password for an existing (other) user. triaging this one.

Revision history for this message
Bill Wear (billwear) wrote :

oops, sorry, noticed UI status -- did not triage, but i can confirm that the behavior is as described, both for new users created by admin, and for existing users.

Changed in maas-ui:
status: New → Fix Released
Revision history for this message
Victor Tapia (vtapia) wrote :

I'm attaching a patch that implements the password change (calling AdminPasswordChangeForm) in the websocket handler

Changed in maas:
assignee: nobody → Adam Collard (adam-collard)
Changed in maas:
milestone: none → 2.9.0b7
Changed in maas:
status: New → Triaged
Changed in maas:
importance: Undecided → Critical
Changed in maas:
status: Triaged → Fix Committed
Changed in maas-ui:
status: Fix Released → New
Lee Trager (ltrager)
Changed in maas:
status: Fix Committed → Fix Released
Changed in maas-ui:
status: New → Fix Released
Changed in maas:
milestone: 2.9.0b7 → 2.9.0b8
summary: - Users cannot change password via UI
+ Admin users cannot change other user's passwords via UI
Revision history for this message
Adam Collard (adam-collard) wrote :

bumped to b8 since the UI fix only just landed in the commit referenced by the UI submodule.

Revision history for this message
Victor Tapia (vtapia) wrote :

Opened MR to backport patch to 2.7 and 2.8 (commit 839b79338 in master)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.