geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
426 stars 489 forks source link

Reset password doesn't work for legacy users (2.x versions) that require to #2443

Open josegar74 opened 6 years ago

josegar74 commented 6 years ago

Legacy users have in the security field in the database the value update_hash_required as in previous versions of GeoNetwork the encoder algorithm was different. So they have to reset the password.

When reseting the password from the Admin UI, it works updating the password and removing previous value:

https://github.com/geonetwork/core-geonetwork/blob/3.4.x/core/src/main/java/org/fao/geonet/util/PasswordUtil.java#L220

user.getSecurity().getSecurityNotifications().remove(UserSecurityNotification.UPDATE_HASH_REQUIRED);

But not from the Forgot password that uses PasswordApi and doesn't remove that attribute, so the user can't login:

https://github.com/geonetwork/core-geonetwork/blob/3.4.x/services/src/main/java/org/fao/geonet/api/users/PasswordApi.java#L136

user.getSecurity().setPassword(PasswordUtil.encode(context, passwordAndChangeKey.getPassword()));
userRepository.save(user);
Delawen commented 6 years ago

Moving forward as it is not a blocking issue.

jodygarnett commented 8 months ago

This ticket was not handled during GN3 development. Should probably be considered stale.