Bug 45574 - Pop up dialog which expose given password
Pop up dialog which expose given password
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Users
UCS 4.2
Other Mac OS X 10.1
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Johannes Keiser
:
: 33148 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-20 16:58 CEST by Michel Smidt
Modified: 2017-11-15 16:46 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017103021000149
Bug group (optional):
Max CVSS v3 score:


Attachments
Screenshot of pop up dialog (41.59 KB, image/png)
2017-10-20 16:58 CEST, Michel Smidt
Details
Second screenshot (95.68 KB, image/png)
2017-10-26 00:17 CEST, Michel Smidt
Details
patch (1.69 KB, patch)
2017-10-26 14:12 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt univentionstaff 2017-10-20 16:58:54 CEST
Created attachment 9256 [details]
Screenshot of pop up dialog

The customer reported that under some circumstances a pop up dialog shows up from time to time which show (expose) the already given password.
Screenshot attached.
Comment 1 Florian Best univentionstaff 2017-10-23 10:05:55 CEST
Which browser and browser version is this?
What does "already given" password mean? The password is not stored anywhere in plain text in the backend. So the password which is then shown was entered after opening the user object, right!?
Comment 2 Daniel Tröder univentionstaff 2017-10-23 13:00:05 CEST
The problem is in _notifyAboutAutomaticChanges() in ucs-4.2-2/management/univention-management-console-module-udm/umc/js/udm/DetailPage.js where "changes" will be shown with:

dialog.alert(_('The following empty properties were set to default values in the form. These values will be applied when saving.') + changes)

"changes" must be cleaned of clear text passwords.
Comment 3 Florian Best univentionstaff 2017-10-23 13:03:21 CEST
(In reply to Daniel Tröder from comment #2)
> The problem is in _notifyAboutAutomaticChanges() in
> ucs-4.2-2/management/univention-management-console-module-udm/umc/js/udm/
> DetailPage.js where "changes" will be shown with:
> 
> dialog.alert(_('The following empty properties were set to default values in
> the form. These values will be applied when saving.') + changes)

My guess is that the password field was stored in the browser once. Now the browser touches the form and enters that stored value. The logic in _notifyAboutAutomaticChanges() then detects a change/difference and shows the message.

> "changes" must be cleaned of clear text passwords.
No.
Comment 4 Michel Smidt univentionstaff 2017-10-23 13:38:34 CEST
(In reply to Florian Best from comment #1)
> Which browser and browser version is this?
> What does "already given" password mean? The password is not stored anywhere
> in plain text in the backend. So the password which is then shown was
> entered after opening the user object, right!?

IE 11
Version 11.674.15063.0
User was already created and opened to edit.

"Das Benutzerkonto war schon vorhanden. Ich habe das Passwort gesetzt. Dann wollte ich testen, ob die Einstellung, dass das gleiche  Passwort nicht mehrmals vergeben werden kann, noch tut. Dann kam die besagte Meldung als ich eigentlich auf „Passwort (Wiederholung)“ springen wollte."
Comment 5 Michel Smidt univentionstaff 2017-10-26 00:17:00 CEST
I talked today with the customer and we reproduced the issue with firefox 56.
Furthermore I checked that no cached credentials are set before.
The message pops up from time to time. Some time very early if you just wrote one or two letters (see second screenshot).
The problem for the customer here is that the current workflow to reset passwords for users following is:

1. The student forgot his/her password.
2. He/she went physically to the helpdesk.
3. The helpdesk person checks the passport and the "schülerausweis".
3. The helpdesk person (Domain Admin) opens the User in the user module.
4. The student set a new password for him/her self and the dialog potentially  pops up. At least the helpdesk and maybe further persons can see the password.
Comment 6 Michel Smidt univentionstaff 2017-10-26 00:17:43 CEST
Created attachment 9262 [details]
Second screenshot
Comment 7 Florian Best univentionstaff 2017-10-26 13:49:43 CEST
Okay, this sound like Bug #33148. The password is entered while the user is not yet fully loaded. Is the environment large? or the internet connection slow?
Comment 8 Michel Smidt univentionstaff 2017-10-26 13:53:26 CEST
(In reply to Florian Best from comment #7)
> Okay, this sound like Bug #33148. The password is entered while the user is
> not yet fully loaded. Is the environment large? or the internet connection
> slow?

Yes, the environment ist large. The internet connection was very accurate.
Comment 9 Florian Best univentionstaff 2017-10-26 14:12:37 CEST
Created attachment 9267 [details]
patch

This patch adds a standby animation as long as not all form values are loaded.
Comment 10 Florian Best univentionstaff 2017-11-08 16:04:08 CET
*** Bug 33148 has been marked as a duplicate of this bug. ***
Comment 11 Florian Best univentionstaff 2017-11-08 16:13:27 CET
A transparent standby animation has been added which prevents that the form can be edited while not all values are loaded.

univention-management-console-module-udm.yaml
d81f7c212428 | Bug #45574: Merge branch 'fbest/33148-standby-animation-during-object-loading' into 4.2-2
61a488865931 | YAML Bug #45574

univention-management-console-module-udm (7.0.10-24)
d81f7c212428 | Bug #45574: Merge branch 'fbest/33148-standby-animation-during-object-loading' into 4.2-2
c8c57558100d | Bug #45574: enable standby animation during loading of objects
Comment 12 Johannes Keiser univentionstaff 2017-11-13 15:21:07 CET
OK Stanbyanimation is shown while a object is loading
OK Form values can not be edited while object is loading
YAML: OK
-> verified
Comment 13 Arvid Requate univentionstaff 2017-11-15 16:46:57 CET
<http://errata.software-univention.de/ucs/4.2/220.html>