Dear Michael,
Il lunedì 26 gennaio 2009 03:41:37 Michael Marino ha scritto:
> I have a question about the following code in webaccessadmin_lib.py
> (lines ~739)
>
> def perform_modifyaccountstatus(req, userID, email_user_pattern,
> limit_to, maxpage, page, callback='yes', confirm=0):
> """set a disabled account to enabled and opposite"""
> ...
> res2 = run_sql("UPDATE user SET note=1 WHERE id=%s",
> (userID, ))
> output += """<b><span class="info">The account '%s' has
> been activated.</span></b>""" % res[0][1]
> if CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION == 1:
> password = int(random.random() * 1000000)
> run_sql("UPDATE user SET password=AES_ENCRYPT(email,
> %s) "
> "WHERE id=%s", (password, userID))
> emailsent = send_account_activated_message(res[0]
> [1], res[0][1], password)
>
> The first line enables the account, but later down where it proceeds
> to send the user an email about the activation the lines:
>
> password = int(random.random() * 1000000)
> run_sql("UPDATE user SET password=AES_ENCRYPT(email,
> %s) "
> "WHERE id=%s", (password, userID))
>
> reset the password to something completely random!
>
> Is there a (security) reason for this? I think it would make sense
> to get rid of the run_sql command.
thanks for spotting this! This is indeed a bug: that line was needed in the
past for security reasons, but is now not needed anymore and as you point
out, it might (in installation where
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION is set to 1, and
CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS > 0) reset the password of the user to a
random number. (it is indeed possible for the admin to reset the password of
the user to a temporary value and communicate to the user this new password).
A bug-fix is already available from our GIT repository:
<http://cdsware.cern.ch/repo/?p=cds-invenio.git;a=commitdiff;h=aa9c1659d469b18d51dc545d62c00d79913f85bb>
and it will be included in the next release.
Best regards,
Samuele
--
.O.
..O
OOO
