[Bug 37887] New: OPAC password recovery needs to use a cud- op while POSTing new password
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Bug ID: 37887 Summary: OPAC password recovery needs to use a cud- op while POSTing new password Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P3 Component: OPAC Assignee: phil@chetcolibrary.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Depends on: 36192 Blocks: 37728 The intention of the CSRF protection from bug 36192 was that any form that used method="post" would have to have a param named 'op' which started with 'cud-' but the test that verifies they do missed the case of a template with more than one form. Bug 37728 corrects that, but to land, the things that currently fail the test need to be fixed. In opac-password-recovery.tt that's the fairly critical step where the user sets a new password. Luckily, getting there requires the uniqueKey that's sent in the recovery email, and if someone has access to that you've already lost the game, so it's not really a security issue, just something that needs to be fixed. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728 [Bug 37728] More "op" are missing in POSTed forms -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 --- Comment #1 from Phil Ringnalda <phil@chetcolibrary.org> --- Created attachment 171296 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=171296&action=edit Bug 37887: OPAC password recovery needs to use a cud- op while POSTing new password To pass xt/find-missing-op-in-forms.t after bug 37728 updates it to notice that there can be more than one form in a template, opac-password-recovery.tt needs to have a param named 'op' which starts with 'cud-' for the form that POSTs the new password. Luckily, testing this doesn't require that you set Koha up to actually send email (though you can), because you can get the link to reset the password by looking at the list of notices sent to the patron in the staff interface: the failure to send notice works just fine. Test plan: 1. There's no behavior change to test, you just need to see that resetting the password still works, so start with the patch applied. 2. Administration - System preferences - change OpacResetPassword to allowed 3. Set a patron so you can use them, which requires that you know the username, and they have an email address. I give Acosta, Edna one of my email addresses, and copy her cardnumber. 4. Open the OPAC, and below the login form click the "Forgot your password?" link 5. Enter the cardnumber for Login and the email you used for Email and click Submit. If you didn't set up sending email, you'll get an error message, but ignore it, not a problem 6. Back in the staff interface, check out to the patron you are using, and on the left sidebar choose Notices and find the Koha password recovery notice and click that linked phrase 7. In the popup with the notice text, open the recovery link in a new tab 8. Following the instructions for the content of a new password, enter one in both fields and click Submit 9 In the success message, click the link to Log in to your account and log in with the new password Sponsored-by: Chetco Community Public Library -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Olivier V <ovezina@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #171296|0 |1 is obsolete| | --- Comment #2 from Olivier V <ovezina@inlibro.com> --- Created attachment 171324 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=171324&action=edit Bug 37887: OPAC password recovery needs to use a cud- op while POSTing new password To pass xt/find-missing-op-in-forms.t after bug 37728 updates it to notice that there can be more than one form in a template, opac-password-recovery.tt needs to have a param named 'op' which starts with 'cud-' for the form that POSTs the new password. Luckily, testing this doesn't require that you set Koha up to actually send email (though you can), because you can get the link to reset the password by looking at the list of notices sent to the patron in the staff interface: the failure to send notice works just fine. Test plan: 1. There's no behavior change to test, you just need to see that resetting the password still works, so start with the patch applied. 2. Administration - System preferences - change OpacResetPassword to allowed 3. Set a patron so you can use them, which requires that you know the username, and they have an email address. I give Acosta, Edna one of my email addresses, and copy her cardnumber. 4. Open the OPAC, and below the login form click the "Forgot your password?" link 5. Enter the cardnumber for Login and the email you used for Email and click Submit. If you didn't set up sending email, you'll get an error message, but ignore it, not a problem 6. Back in the staff interface, check out to the patron you are using, and on the left sidebar choose Notices and find the Koha password recovery notice and click that linked phrase 7. In the popup with the notice text, open the recovery link in a new tab 8. Following the instructions for the content of a new password, enter one in both fields and click Submit 9 In the success message, click the link to Log in to your account and log in with the new password Sponsored-by: Chetco Community Public Library Signed-off-by: Olivier V <olivier.vezina@inLibro.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Olivier V <ovezina@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ovezina@inlibro.com Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #171324|0 |1 is obsolete| | --- Comment #3 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 171544 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=171544&action=edit Bug 37887: OPAC password recovery needs to use a cud- op while POSTing new password To pass xt/find-missing-op-in-forms.t after bug 37728 updates it to notice that there can be more than one form in a template, opac-password-recovery.tt needs to have a param named 'op' which starts with 'cud-' for the form that POSTs the new password. Luckily, testing this doesn't require that you set Koha up to actually send email (though you can), because you can get the link to reset the password by looking at the list of notices sent to the patron in the staff interface: the failure to send notice works just fine. Test plan: 1. There's no behavior change to test, you just need to see that resetting the password still works, so start with the patch applied. 2. Administration - System preferences - change OpacResetPassword to allowed 3. Set a patron so you can use them, which requires that you know the username, and they have an email address. I give Acosta, Edna one of my email addresses, and copy her cardnumber. 4. Open the OPAC, and below the login form click the "Forgot your password?" link 5. Enter the cardnumber for Login and the email you used for Email and click Submit. If you didn't set up sending email, you'll get an error message, but ignore it, not a problem 6. Back in the staff interface, check out to the patron you are using, and on the left sidebar choose Notices and find the Koha password recovery notice and click that linked phrase 7. In the popup with the notice text, open the recovery link in a new tab 8. Following the instructions for the content of a new password, enter one in both fields and click Submit 9 In the success message, click the link to Log in to your account and log in with the new password Sponsored-by: Chetco Community Public Library Signed-off-by: Olivier V <olivier.vezina@inLibro.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |jonathan.druart@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com Version(s)|24.11.00 |24.11.00,24.05.06 released in| | Status|Pushed to main |Pushed to stable --- Comment #5 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Status|Pushed to oldstable |Needs documenting --- Comment #6 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED --- Comment #7 from Phil Ringnalda <phil@chetcolibrary.org> --- No change in behavior to document, just a bugfix. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Bug 37887 depends on bug 36192, which changed state. Bug 36192 Summary: [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org