search

decko-commons / decko

Start with a deck of wiki cards. Develop it into a rich web app.
https://www.decko.org
GNU General Public License v3.0
55 stars 15 forks source link

[security] Manual user creation with password does not work as expected #178

Open tukanos opened 6 years ago

tukanos commented 6 years ago

Hi Ethan,

I have just tried to create a user manually (no mailouts yet) and set him a password from within the Decko system, but to no avail.

I was unable to login as the user. Is there a trick to do so?

ethn commented 6 years ago

Can you confirm that:

  1. The user has a user card (type is "User")
  2. that user card has a +*account card
  3. that +account card has reasonable looking content for the +email, +password, and +status fields? (password will just show the word "encrypted")
tukanos commented 6 years ago

I tried that with the following screen cast.

ad 1) yes the user card is type "User" ad 2) the user card has a +*account card ad 3) looks reasonable and the status field I changed from pending to active manually

unable_to_change_password_v2.zip

You can see it also on the attached video:

Decko changing password

I have even encountered an error during a search. When a search string is tukan+*account+*status then the regexp engine returns an error (displayed in the screencast).

The error:

Error message (visible to admin only)

PG::InvalidRegularExpression: ERROR: invalid regular expression: quantifier operand invalid : / search / SELECT DISTINCT c1., c1.updated_at FROM cards c1 WHERE ((replace(c1.name,'+',' ') ~ '[[:<:]]tukan[[:>:]]' OR c1.db_content ~ '[[:<:]]tukan[[:>:]]') AND (replace(c1.name,'+',' ') ~ '[[:<:]]account[[:>:]]' OR c1.db_content ~ '[[:<:]]account[[:>:]]') AND (replace(c1.name,'+',' ') ~ '[[:<:]]status[[:>:]]' OR c1.db_content ~ '[[:<:]]status[[:>:]]')) AND c1.trash is false ORDER BY c1.updated_at desc LIMIT 20 OFFSET 0