First Last Prev Next    This bug is not in your last search results.
Bug 51287 - The UCR variable umc/self-service/passwordreset/token_validity_period is without function
The UCR variable umc/self-service/passwordreset/token_validity_period is with...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-6-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-14 14:51 CEST by Sönke Schwardt-Krummrich
Modified: 2020-11-16 23:38 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2020-05-14 14:51:16 CEST 
The UCR variable umc/self-service/passwordreset/token_validity_period is not used in univention-self-service. The value is read from UCR but then not used. Instead the constant TOKEN_VALIDITY_TIME is used.

sschwardt@dave:$ cd ~/git/ucs/management/univention-self-service
sschwardt@dave:$ grep -Hr TOKEN_VALIDITY_TIME .
./umc/python/passwordreset/__init__.py:TOKEN_VALIDITY_TIME = 3600
./umc/python/passwordreset/__init__.py:         if (datetime.datetime.now() - token_from_db["timestamp"]).seconds >= TOKEN_VALIDITY_TIME:
sschwardt@dave:$ grep -Hr token_validity_period .
/debian/univention-self-service-passwordreset-umc.univention-config-registry-variables:[umc/self-service/passwordreset/token_validity_period]
./umc/python/passwordreset/__init__.py:         self.token_validity_period = ucr_try_int("umc/self-service/passwordreset/token_validity_period", 3600)

Untested workaround:
sed -e 's/TOKEN_VALIDITY_TIME = 3600/TOKEN_VALIDITY_TIME = 86400/'  \
  /usr/lib/python2.7/dist-packages/univention/management/console/modules/passwordreset/__init__.py
Comment 1 Ingo Steuwer univentionstaff 2020-05-15 08:54:03 CEST 
To be sure about the consequences: due to this bug one can't configure how long a token for a password reset is actually valid?
Comment 2 Timo Denissen univentionstaff 2020-05-15 09:22:21 CEST 
(In reply to Ingo Steuwer from comment #1)
> To be sure about the consequences: due to this bug one can't configure how
> long a token for a password reset is actually valid?

That is correct. The value is always 3600 seconds, albeit the UCRV is set differently.
Comment 3 Florian Best univentionstaff 2020-10-20 17:32:12 CEST 
Fixed in:

univention-self-service.yaml
a599710c8113 | YAML Bug #51287

univention-self-service (4.0.3-47)
a817e4319058 | Bug #51287: evaluate UCR variable umc/self-service/passwordreset/token_validity_period

Merged to UCS 5:
univention-self-service (5.0.0-5)
8906f3575ddc | Bug #51287: evaluate UCR variable umc/self-service/passwordreset/token_validity_period
Comment 4 Dirk Wiesenthal univentionstaff 2020-10-21 10:11:10 CEST 
Token is invalid after $(ucr value) seconds: OK
YAML: OK
First Last Prev Next    This bug is not in your last search results.