yahoo-eng-team team mailing list archive

[Roberto Salgado <1468300@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

OS: Ubuntu Server 14.04.2 LTS
Openstack: Kilo
Openstack-dashboard package: 1:2015.1.0-0ubuntu1~cloud0


While logged as an admin user in Dashboard (horizon), if you try to change an email address from another user directly on users list , it will change the email address properly but will turn to NULL that user's password.
This behaviour doesn't seem to have effect while changing email address on "Edit" form.


Before changing email address:
> select * from user where name="demo";
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| id                               | name | extra         | password                                                                                                                | enabled | domain_id | default_project_id               |
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": ""} | $6$rounds=40000$mXk6yBRZo.00pnoU$rRfNvGXVW15gHq8k6p9caT9bDQwIaNgpN29dLE0aR8wSisIN56xvbdbiQRGs/2S6qmIrrKaTUAm3uso8jMIr61 |       1 | default   | 7dd667e26b2e4169bb74cf3306eac352 |
+----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+

After:
> select * from user where name="demo";
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
| id                               | name | extra                              | password | enabled | domain_id | default_project_id               |
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
| 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": "notrealinbox@xxxxxxxxxxxx"} | NULL     |       1 | default   | 7dd667e26b2e4169bb74cf3306eac352 |
+----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+

Due to security: No pass equals can't log in through dashboard also I
tried logging in using a CLI without password and it doesn't seem to
work. So, I guess it's not a security vulnerability.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1468300

Title:
  changing user's email from user list deletes user password

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  OS: Ubuntu Server 14.04.2 LTS
  Openstack: Kilo
  Openstack-dashboard package: 1:2015.1.0-0ubuntu1~cloud0

  
  While logged as an admin user in Dashboard (horizon), if you try to change an email address from another user directly on users list , it will change the email address properly but will turn to NULL that user's password.
  This behaviour doesn't seem to have effect while changing email address on "Edit" form.

  
  Before changing email address:
  > select * from user where name="demo";
  +----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
  | id                               | name | extra         | password                                                                                                                | enabled | domain_id | default_project_id               |
  +----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
  | 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": ""} | $6$rounds=40000$mXk6yBRZo.00pnoU$rRfNvGXVW15gHq8k6p9caT9bDQwIaNgpN29dLE0aR8wSisIN56xvbdbiQRGs/2S6qmIrrKaTUAm3uso8jMIr61 |       1 | default   | 7dd667e26b2e4169bb74cf3306eac352 |
  +----------------------------------+------+---------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+

  After:
  > select * from user where name="demo";
  +----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
  | id                               | name | extra                              | password | enabled | domain_id | default_project_id               |
  +----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+
  | 651261afa8654ed1a6431ed2b7405bd3 | demo | {"email": "notrealinbox@xxxxxxxxxxxx"} | NULL     |       1 | default   | 7dd667e26b2e4169bb74cf3306eac352 |
  +----------------------------------+------+------------------------------------+----------+---------+-----------+----------------------------------+

  Due to security: No pass equals can't log in through dashboard also I
  tried logging in using a CLI without password and it doesn't seem to
  work. So, I guess it's not a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1468300/+subscriptions