Mahara

Don't autofill password reset field on user settings page

Bug #1499164 reported by Aaron Wells
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Low
Unassigned
Mahara 15.10.0
15.04
Fix Released
Low
Aaron Wells
Mahara 15.04.4
15.10
Fix Released
Low
Unassigned
Mahara 15.10.0

Bug Description

Every time I go to my account settings screen to change something, Firefox always pre-fills the "Current password" field with some obscured text, which is apparently not my current password. And so, if I don't go in and manually clear the field, then it gives me a form validation failure when I try to submit, because the two password fields don't match.

We need to put a flag on these fields that tells the web browser not to pre-fill either of them.

See original description
Aaron Wells (u-aaronw)
tags: added: passwords usability
description: updated
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Apparently what it's autofilling the "Current password" field, is whichever value I last put in there. Depending on my current re-install situation, that may or may not be my current password, but either way it causes the form to not submit, unless I manually clear it.

If it is my current password, then it complains about the new password being empty. If it is not my current password, it complains about how it's not my current password.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Well, we're actually already putting autocomplete="off" on that field! It's apparently in all of pieform's password elements.

But Firefox ignores that, as described here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Probably the best fix for this would be to move the password reset form to another page entirely.

But, since this is a low-priority bug and it's right before a major release, the quicker fix is to put in a hidden decoy password field before any of the others. Firefox will detect that and fill it in instead. Then we can just ignore the decoy.

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/5363

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/5363
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/66e2a757fa763db88dbdf2be7e8b2e1d369b2043
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 66e2a757fa763db88dbdf2be7e8b2e1d369b2043
Author: Aaron Wells <email address hidden>
Date: Thu Sep 24 17:57:16 2015 +1200

Prevent FF from auto-filling the "old password" field (Bug 1499164)

behatnotneeded: No password store in behat FF

Change-Id: I5f2ac0196f323dadf4f3fe2c2d2e44c74d30ebae

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/5375

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/5375
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/a973ae153fb06fc4f918038a27368f6b75926323
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit a973ae153fb06fc4f918038a27368f6b75926323
Author: Aaron Wells <email address hidden>
Date: Thu Sep 24 17:57:16 2015 +1200

Prevent FF from auto-filling the "old password" field (Bug 1499164)

behatnotneeded: No password store in behat FF

Change-Id: I5f2ac0196f323dadf4f3fe2c2d2e44c74d30ebae
(cherry picked from commit 66e2a757fa763db88dbdf2be7e8b2e1d369b2043)

Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.