View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0026880mantisbtadministrationpublic2020-04-14 12:132020-05-03 04:34
Reporterdregad Assigned Todregad  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.24.0 
Target Version2.24.1Fixed in Version2.24.1 
Summary0026880: Impossible to reset user's password
Description

Since 2.24.0 it is no longer possible to reset a user's password.

When clicking on the Reset Password button, the manage_user_reset.php page displays the following PHP notices

  • SYSTEM NOTICE: 'Undefined variable: t_result' in '/home/dregad/dev/mantisbt/manage_user_reset.php' line 61
  • SYSTEM NOTICE: 'Undefined variable: t_reset' in '/home/dregad/dev/mantisbt/manage_user_reset.php' line 65

And the page always displays The account has been unlocked. instead of the expected password reset message.

This is a regression introduced by 0026632 / PR https://github.com/mantisbt/mantisbt/pull/1599.

Additional Information

The PR removed the 2 variables initialization:
https://github.com/mantisbt/mantisbt/pull/1599/files#diff-8522b31f9b5f0753b20c16b2a7d489acL67

Consequently the if( $t_reset ) { statement at line 65 always evaluates to false.

Tagspatch

Relationships

related to 0026632 closedcommunity Support user password reset via REST API 

Activities

gthomas

gthomas

2020-04-14 14:24

reporter   ~0063838

Sorry, I'm not familiar with which component does what, and you said that the Command already does the checks.

So, mayba core/commands/UserResetPasswordCommand.php process() should return that $t_result, and not just an array() ?
gthomas

gthomas

2020-04-14 14:32

reporter   ~0063839

diff --git a/core/commands/UserResetPasswordCommand.php b/core/commands/UserResetPasswordCommand.php
index 000713da2..01a859310 100644
--- a/core/commands/UserResetPasswordCommand.php
+++ b/core/commands/UserResetPasswordCommand.php
@@ -96,7 +96,7 @@ class UserResetPasswordCommand extends Command {
} else {
$t_result = user_reset_failed_login_count_to_zero( $this->user_id_reset );
}

  • return array();
  • return array( $t_reset, $t_result );
    }
    }

diff --git a/manage_user_reset.php b/manage_user_reset.php
index 97c78a012..97004087b 100644
--- a/manage_user_reset.php
+++ b/manage_user_reset.php
@@ -52,7 +52,7 @@ $t_data = array(
);

$t_command = new UserResetPasswordCommand( $t_data );
-$t_command->execute();
+list( $t_reset, $t_result ) = $t_command->execute();

$t_redirect_url = 'manage_user_page.php';
gthomas

gthomas

2020-04-14 14:33

reporter   ~0063840

26880-1.patch (1,047 bytes)    
commit 2d38d642e823145267386de74380d0fc6e6dab72
Author: Tamás Gulácsi <tgulacsi78@gmail.com>
Date:   Tue Apr 14 20:26:20 2020 +0200

    fix missing initialization of t_reset and t_result
    
    Fixes #26880

diff --git a/core/commands/UserResetPasswordCommand.php b/core/commands/UserResetPasswordCommand.php
index 000713da2..01a859310 100644
--- a/core/commands/UserResetPasswordCommand.php
+++ b/core/commands/UserResetPasswordCommand.php
@@ -96,7 +96,7 @@ class UserResetPasswordCommand extends Command {
 		} else {
 			$t_result = user_reset_failed_login_count_to_zero( $this->user_id_reset );
 		}
-		return array();
+		return array( $t_reset, $t_result );
 	}
 }
 
diff --git a/manage_user_reset.php b/manage_user_reset.php
index 97c78a012..97004087b 100644
--- a/manage_user_reset.php
+++ b/manage_user_reset.php
@@ -52,7 +52,7 @@ $t_data = array(
 );
 
 $t_command = new UserResetPasswordCommand( $t_data );
-$t_command->execute();
+list( $t_reset, $t_result ) = $t_command->execute();
 
 $t_redirect_url = 'manage_user_page.php';
26880-1.patch (1,047 bytes)   
dregad

dregad

2020-04-15 11:38

developer   ~0063842

@gthomas thanks for the prompt reply and proposed patch.

My initial idea to fix this was the same actually, i.e. have the command's execute() method return array( $t_reset, $t_result ) but this is a bit of an ugly hack so on second thought, I believe it would be cleaner to return a "proper" result code indicating what happened (i.e. password reset, account unlocked or failure).

I'm also wondering whether the command's validate() method shouldn't throw an exception if the user account is protected (which is the only case where user_reset_password() could return false).
dregad

dregad

2020-04-18 07:09

developer   ~0063849

PR https://github.com/mantisbt/mantisbt/pull/1655

Related Changesets

MantisBT: master-2.24 2c237c4e

2020-04-15 07:59

dregad


Details Diff		 UserResetPasswordCommand now returns status code

The introduction of the command (see issue 0026632) broke the password
reset from the GUI (manage_user_reset.php), as some variables used in
the program were no longer initialized. As a result, it could only
unlock the account (i.e. reset the failed login count).

This commit changes the Command's process() method to return a status
code (RESET, UNLOCK or FAILURE, defined as class constants), which can
then be used by manage_user_reset.php to display an appropriate message.

Fixes 0026880		 Affected Issues
0026632, 0026880
mod - core/commands/UserResetPasswordCommand.php Diff File
mod - manage_user_reset.php Diff File

MantisBT: master-2.24 0d5a7397

2020-05-02 07:48

dregad


Details Diff		 UserResetPassword Command fixes

Merge PR https://github.com/mantisbt/mantisbt/pull/1655

Fixes 0026880, 0026885
See issue 0026632		 Affected Issues
0026632, 0026880, 0026885
mod - api/rest/restcore/users_rest.php Diff File
mod - core/commands/UserResetPasswordCommand.php Diff File
mod - core/user_api.php Diff File
mod - manage_user_reset.php Diff File