search

PetaByet / cdp

Simple & Open Source Server Backups
https://cdp.me
GNU General Public License v2.0
122 stars 39 forks source link

Editing Users does not work as expected #36

Closed frederickjh closed 4 years ago

frederickjh commented 8 years ago

Hi! Editing users currently does not work as expected. I see the following issues:

  1. 2-Factor Authentication information about being enabled in not being displayed in the table on top. Originally it displayed disabled in the table but after enabling it, even if I disable it still displays enabled. I checked the db-users.json and found that it is disabled(false in the code below). [{"id":"1","username":"admin","password":"da7409e901e899b2d03e08ca2dbf6eea","acl":"1","2fo":"false","2fokey":""}]
  2. 2-Factor Authentication information about being enabled is not being displayed properly when you edit an existing user. On a fresh install this displays disabled. However after enabling it and then disabling it in always shows enabled. See the code in point 3 below. There you can see that the false from above has changed to a true, only by clicking edit and then submit.
  3. Blank submissions in both the password and the Google Authenticator Key fields are non handled properly. In both cases it should use the current values but instead it saves empty values. This will lock you out. See the code from the db-user.json file below. All I did was click the edit button by a user then the Submit button. [{"id":"1","username":"Backupadmin","password":"d41d8cd98f00b204e9800998ecf8427e","acl":"1","2fo":"true","2fokey":""}]

CDP tries to encrypt a blank password #33 is a related issue.

The way things are now any change to the users account by clicking the submit button will mean that a new 2-Factor Authentication key must be generated and then entered into the app that your are using to generate the OTP.

I hope this is all understandable and helpful!

Frederick

frederickjh commented 8 years ago

I have not tried this but I am guessing if you were to go into the edit users to change the ACL and hit submit button you would end up with a blank encrypted password. 2FA would be on and the 2FA key would be blank after you save. So, basically this means you need to fill out everything on the form the way you want otherwise you past changes will be overwritten.

Nixtren commented 8 years ago

I submitted a pull request to fix issue #33, so it should fix the blank submission problem on the password field (your point 3). Fixing the 2-Factor field seems easy as well, I will do it once the previous pull request is approved.