Update 2.1.15 => 2.1.23

[djatwork]

Hi We updated our install and now the users can´t use there private folder any more. There is no place to enter the personal salt key!? After klicking "home" after the "You should enter your personal saltkey if you need to use your personal items." We are logged out and forwarded to the login screen! is there any trick to enter the key?

I tried also the "use your password as saltkey" after that the folder is accessable but the users can´t add item. ==> You are not allowed to do that....

Version 2.1.23 AD Auth Timezone: Europe/Vienna

thx

[nilsteampassnet]

In 2.1.23, the home page has been removed.

The "saltkey" can be entered from the top menu right icon (on the left of the language flag). This will give you access to a sub-menu. Select the Saltkey one.

2015-02-03 10:39 GMT+01:00 djatwork notifications@github.com:

Hi We updated our install and now the users can´t use there private folder any more. There is no place to enter the personal salt key!? After klicking "home" after the "You should enter your personal saltkey if you need to use your personal items." We are logged out and forwarded to the login screen! is there any trick to enter the key?

I tried also the "use your password as saltkey" after that the folder is accessable but the users can´t add item. ==> You are not allowed to do that....

Version 2.1.23 AD Auth Timezone: Europe/Vienna

thx

— Reply to this email directly or view it on GitHub https://github.com/nilsteampassnet/TeamPass/issues/875.

[djatwork]

Is there a icon missing? There´s space.....

i don´t have the menu item. Is it normal that i´m logged out after a language change?

thx

[ynnsn]

I have the same behaviour. There is no other icon left of the language flag.

[nilsteampassnet]

No there is no icon missing in the screenshots I can see.

2015-02-04 15:21 GMT+01:00 ynnsn notifications@github.com:

I have the same behaviour. There is not other icon left of the language flag.

— Reply to this email directly or view it on GitHub https://github.com/nilsteampassnet/TeamPass/issues/875#issuecomment-72861427 .

[djatwork]

ok, but where i should enter the key?

[ynnsn]

And where? I tried to change the language, but I can't find the salt key sub menu.

[nilsteampassnet]

​It seems that personal folder feature is not enabled. Can you check this from the administration settings page?​

[ynnsn]

The personal folder feature is enabled.

[djatwork]

checked again, pf is enabled

[jensdepuydt]

We're having the same issues. Personal folder is enabled. With the option enabled to use the password, users can't create new items (You are not allowed to do that!). With the option disabled, there is no possibility to enther the salt-key.

When changing line 225 in index.php from:

(isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) || $_SESSION['user_admin'] == 1 ? '' :
                                isset($_SESSION['settings']['enable_pf_feature']) && $_SESSION['settings']['enable_pf_feature'] == 1 ? '

to

(isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) &&    isset($_SESSION['settings']['enable_pf_feature']) && $_SESSION['settings']['enable_pf_feature'] == 1 ? '

I do manage to get the menu but it's still not working since I get the message: You should enter your personal saltkey if you need to use your personal items. Even after setting the salt-key. And creating an item gives me: You are not allowed to do that!

When using the password as salt, what happens when a user changes it's password? Because since the upgrade, I've got some users that can't access their personal folder items anymore. All changed their password.

[Ni0b1ite]

Had the same problem, I did also the changes above in index.php and now I have no problems setting the salt-key but got also the message "You are not allowed to do that!" when i tried to add a new personal item or edit an existing one.

Following changes fixed that for me:

sources\main.functions.php line 489 from:

489:  if (!in_array($folderId, $listReadOnlyFolders) || (isset($pf) && $folderId != $pf['id'])) {

to

489:   if (!in_array($folderId, $listReadOnlyFolders)) {
490:         if (isset($pf) && $folderId != $pf['id']){
..
502:   }

Additionally it is necessary to authorize to have several items with the same name in admin settings. Otherwise the save button will be disabled after you insert a label (regardless it is duplicated or not).

[Ni0b1ite]

After all that changes is one problem left. Personal Items are listed in personal folder although they are deleted. (editing is not possible anymore). In sources\items.queries.php after line

1825:   $items_to_display_once = "max";

I added

1826: $where->add('i.inactif=%i', 0);

[if-kenn]

I am having a problem after upgrading as well. While I can set the SaltKey, I still get the "You should enter your personal saltkey if you need to use your personal items." after doing so.

[Ni0b1ite]

I had the same issue with 2.1.22 only for one user, but suddenly it was gone with 2.1.23.

Try to turn off the function "store salt in cookie" (or something like that) in admin panel. I am not sure but it could be that this solved my problem, especially if you say that it is still present in 2.1.23.

[toptnc]

If I understand, looking at index.php, line 225

(isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) || $_SESSION['user_admin'] == 1 ? '' : isset($_SESSION['settings']['enable_pf_feature']) && $_SESSION['settings']['enable_pf_feature'] == 1 ? '

If ldap_mode is enabled, PF is disabled. Am I wright?

[fgn-git-hub]

I tried the index change as well but it did not show the saltkey menu option after that. I use LDAP enabled as well as PF enabled. no changes at all.

[fgn-git-hub]

Am I missing something? I checked everything once again and I even copied the files from 2.1.23 Fix for #881 - #900 - #890 - #910 Which did not solve anything. Is there an already checked in file which solves this issue?

[dopegaar]

Hi, fgn-git-hub! Do you have solve it? Do you have any workaround for this issue? TIA

[fgn-git-hub]

Nothing so far, no one answered and I didn't find any solution till now. Any help would be great.

[dopegaar]

Sorry, i cannot help you! I have the same issue...

[fgn-git-hub]

I've checked it out now, it's definitly a problem connected to the ldap integration. Without ldap the Salt Password button shows up without any problem, and works like a charm. Someone in here who does know what could fix that problem? I'm not sure if I understand that LDAP code part so I am out of ideas for the time being.

[Ackak]

If you remplace the code (line 227 file index.php), the menu appears : (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) || $_SESSION['user_admin'] == 1 ? '' : with (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) || $_SESSION['user_admin'] == 1 ? ' ' :

The only change, i have add a space between the two apostrohpe at the end of the line.

[fgn-git-hub]

Wow, great thank you, that's the solution.

[dopegaar]

With this change I agree with jensdepuydt (comment on 10 feb). The button is visible but not the behaviour. It's only for me? TIA

[fgn-git-hub]

It's strange, I could fill that space with new entries but after logging out an renewed login I can't access them anymore. "You don't have permisssion ...."

[mobilefactor]

Anybody figured out how to get this to work in 2.1.22? Thanks.

[alikkon]

Looking at the code, toptnc is correct. Currently, if you are using ldap_mode or are an administrator, the application seems to assume that you don't want to be able to set a salt key and just doesn't display that bit of text. Honestly, I'm not entirely sure how the code is working with Ackak's recommended change.

(isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1)		$_SESSION['user_admin'] == 1 ? ''

This says: Check to see if ldap_mode is set, and if so, if it's enabled. And/Or Check to see if the user is an administrator. If either of the above is true then print nothing Otherwise continue to the next bit.

The addition of a space here shouldn't actually do anything, unless I'm misreading the statement or it's not doing what it's supposed to be doing. The check that should probably be happening here, instead of ldap_mode, is whether "Use the login password as SALTkey" is checked, rather than ldap_mode, regardless.

My personal recommendation is to remove the ldap_mode check entirely

index.php line 227 (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1) || $_SESSION['user_admin'] == 1 ? '' : replace with: $_SESSION['user_admin'] == 1 ? '' :

Comment out the link to the home page - it's no longer useful. While I didn't remove it entirely, it won't display anymore. items.php line 557 <u><a href="index.php">'.$LANG['home'].'</a></u> replace with: <!--<u><a href="index.php">'.$LANG['home'].'</a></u>-->

Apply the fix so deleted items don't show in the personal folders. sources/items.queries.php line 1826 Add: $where->add('i.inactif=%i', 0);

Flip a permissions check regarding read only access, which prevents personal folder users from adding items. I assume the bang here was negating the entire if, rather than just the first part. Flipping which one is first fixes the issue. sources/main.functions.php line 489 if (!in_array($folderId, $listReadOnlyFolders) || (isset($pf) && $folderId != $pf['id'])) { replace with: if ((isset($pf) && $folderId != $pf['id']) || !in_array($folderId, $listReadOnlyFolders)) {

I also changed the string that's used by Teampass to make it a little clearer (IMHO) that you're not setting a new password, but entering the currently used one. includes/language/[language].php 'home_personal_saltkey_button' => 'Enter Saltkey',

I'll try and figure out how to actually contribute properly on Github so I can submit this to the codebase proper. I can't tell how active the project really is right now, so I'll have to nail down whether anyone's paying attention as well.

[jyemeier]

I have a ro issue with personal folders on a fresh 2.1.23. I did some hammering on it this morning. I did alikkon's changes and still had issues.

If I am reading this right, main.functions.php lines 489:501 is checking if the folder in question is a personal folder or not in the list of read only folders, and then checking the database to see if it has a write parameter set. But the array $listReadOnlyFolders is empty at the beginning of that foreach block, and so that if statement always evaluates to true for every iteration of the foreach block because of the or. Since we are adding folders to the $listReadOnlyFolders array if they don't have a w in the DB::query statement, it seems redundant to check $listReadOnlyFolders as part of the if, and logically an error.

So, I suggest, in main.functions.php line 489 to replace if (!in_array($folderId, $listReadOnlyFolders) || (isset($pf) && $folderId != $pf['id'])) { with if ((isset($pf) && $folderId != $pf['id'])) {

That would say, then, that if it's not a personal folder, check the DB to see if it's got write permissions. If it doesn't, then add it to the $listReadOnlyFolders array.

I tested this on my fresh install of 2.1.23, and I watched my personal folders change from RO to W and I was able to add an entry. I also did the rest of alikkon's changes.

[fgn-git-hub]

Thank you for that hint about the $listReadOnlyFolders, but it worked only for the entries I already had in that personal folder. After I added a new folder, I got a readonly access for the new folder once again. Any idea how to get that folder rw again?

[nilsteampassnet]

Coming back to this issue. Indeed the ldap condition is wrong to enable saltkey dialogbox.

See #1024 for new folder in PF

[ItecorSupport]

After applied alikkon's changes and last jyemeier's modification and change Teampass config to allow item, folders etc.. to have same name. The personal folder worked! I can create items without problems. I work like this during 10 days. but if I delete in my Internet browser cookies. I can't access my personal folder that's a normal situation because there no cookie with my salt key. So I need to enter it but after that I can't access it. Teampass tell me "You should enter you personal saltkey ...". Same way if I disable cookies option in Teampass.

[pojanisu]

I'm in the same place with ItecorSupport. I've done the changes mentioned on this issue and personal items work, I can edit and add them.

But from other browser (without the cookie) I can only see that I have personal items. Setting the salt key does not work. I can't really make out what it does when clicking Save. It reloads, but I can't see the Done text. Maybe the issue is related to storing the salt key?

[fpaquet]

Entering saltkey in current Git master (2.1.23.4) still has problems.

We have checked out several browsers:

• Chromium 42.0.2311.152, Chrome 46.0.2490.80 Opera 12 and Opera 32.0.1948.69, Arora 0.11.0, Firefox 38.3.0
• in Arora it worked 1 time, stored to cookie when setting the key again, the previous key is displayed as **
• in all other Browsers, i wasn't able to store the salt key, when setting the key again, the no previous key is visible
• in Arora, a Cookie named 'TeamPass_PFSK...' is still there
• in all other Browsers, there is NO cookie named 'TeamPass...'

Clearing web data (including cookies) doesn't help. The Text 'Done!' is displayed, but the key isn't stored (wherever it shoud be).

Settings:

• PF enabled
• Use the login password as SALTkey - OFF (changing the pw will kill all items)
• Enable personal SALTKey to be stored in a cookie - doesn't matter ON or OFF
• Personal SALTKey cookie DAYS life time before expiration - 31 or 0 (doesnt matter)

This bug is a killer, because it prevents us from migrating to TeamPass!

[nilsteampassnet]

​I've performed tests on Firefox (41) and Chrome (44) on next 2.1.24​. I've tried with PSK not stored in COOKIE (it is a SESSION used), and stored in a COOKIE, and I could not reproduce this isue you have.

​Can you have a try to use the package from branch "development"?

[fpaquet]

Hello Nils

Wie pulled the master branch from GitHub git clone https://github.com/nilsteampassnet/TeamPass.git git checkout master

Cookie storage doesn't depend on any Browser-Plugins ?

[fpaquet]

Checkt out development branch - git checkout development

• Browser: Chromium Version 42.0.2311.152 custom (64-bit)
• Cleared all Broswer-Cookies
• Reconfigured TeamPass to store PF Keypass in Cookies

After setting the Passkey, the following data is stored in the Browser: Cookies

• KEY_PHPSESSID
• PHPSESSID
• jstree_select Content 7

Local Storage

• https://cms.opag.ch

Session Storage

• https://cms.opag.ch

The keypass doesn't set any cookies.

[fpaquet]

I've recorded all HTTP Headers while setting the passkey.

There are 75 https requests, all of them sending this:

KEY_PHPSESSID=4Qtc%2BZfWrBgjrFaNX3ZJRWVJONp5HH8Q0qlkC50sPlU%3D%3AU1oVk8tQ%2FHyMfQtW3l94GjP0ZCGFQ5IXCv8lKEpop%2FM%3D; PHPSESSID=bm21gstv8sg78cverejtm9pf06; jstree_select=7

Only Request No 73 sets the following cookie:

Set-Cookie jstree_select=7; expires=Thu, 26-Nov-2015 15:01:00 GMT; Max-Age=2678400; path=/

Thus, the Keypass Cookie is never sent by the server.

[nilsteampassnet]

​As I can't reproduce, it is really hard to work on this issue.

Can you provide me an access to your teampass instance (contact by email)?​

[fpaquet]

Sent you login credentials to nils@teampass.net Pse let me know if we can do anything further...

[fpaquet]

If you could point me to the php code that generates the keypass cookie, we could do further investigations and generate a trace of what happens.

[nilsteampassnet]

​The cookie for PSK is set in sources/main.queries.php file in case "store_personal_saltkey".

I'm wondering if your cookie duration​ is defined to value 0. Indeed in this case, the code is not protected and the cookie is created but deleted just after because its duration is expired.

You can try to replace

setcookie(
                "TeamPass_PFSK_".md5($_SESSION['user_id']),
                encrypt($_SESSION['my_sk'], ""),
                time() + 60 * 60 * 24 *
$_SESSION['settings']['personal_saltkey_cookie_duration'],
                '/'
            );

​by ​```setcookie( "TeamPassPFSK".md5($_SESSION['user_id']), encrypt($_SESSION['my_sk'], ""),

(!isset($_SESSION['settings']['personal_saltkey_cookie_duration']) || $_SESSION['settings']['personal_saltkey_cookie_duration'] == 0) ? time() + 60 * 60 * 24 : time() + 60 * 60 * 24 * $_SESSION['settings']['personal_saltkey_cookie_duration'], '/' );

[fpaquet]

Ups, this produces errors in the log: [Tue Oct 27 18:37:34 2015] [error] [client 157.161.148.229] PHP Parse error: syntax error, unexpected ':' in /var/www/html/TeamPass/sources/main.queries.php on line 535, referer: https://cms.opag.ch/TeamPass/index.php?page=items

[fpaquet]

Here's a hint:

Changing the code in main.queries.php line 535ff to:

case "store_personal_saltkey":                                                                                              

error_log("1");
$dataReceived = prepareExchangedData(str_replace("'", '"', $_POST['data']), "decode");
error_log("2");
if ($dataReceived['psk'] != "") {
error_log("3");
$_SESSION['my_sk'] = str_replace(" ", "+", urldecode($dataReceived['psk']));
error_log("4");
$x = setcookie(
"TeamPassPFSK".md5($_SESSION['user_id']),
encrypt($_SESSION['my_sk'], ""),
time() + 60 * 60 * 24 * $_SESSION['settings']['personal_saltkey_cookie_duration'],
'/'
);
error_log("setkookie = $x");
}
break;

---- this results in the error log

[Tue Oct 27 18:46:36 2015] [error] [client 157.161.148.229] 1, referer: https://cms.opag.ch/TeamPass/index.php?page=items [Tue Oct 27 18:47:07 2015] [error] [client 157.161.148.229] 1, referer: https://cms.opag.ch/TeamPass/index.php?page=items [Tue Oct 27 18:47:07 2015] [error] [client 157.161.148.229] 2, referer: https://cms.opag.ch/TeamPass/index.php?page=items

[fpaquet]

The folloging condition is not met: if ($dataReceived['psk'] != "") {

[nilsteampassnet]

​Can you tell me if you have any quote in your PSK?

[nilsteampassnet]

​Can you please try to change

        $dataReceived = prepareExchangedData(str_replace("'", '"',
$*POST['data']),
"decode");*
```​

​```
        $dataReceived = prepareExchangedData($_POST['data'], "decode");
        $dataReceived['psk'] = str_replace("'", '"', $dataReceived['psk']);
```​

[fpaquet]

No, there is no quote in the PSK i entered, just a simple dictionary word, just small letters.

if $dataReceived['psk'] contains the previous PSK, isn't the condition simply wrong? In order to set a fresh psk, we do not need to have an old psk ?

[nilsteampassnet]

​You should not change the PSK. The PSK is used to encrypt the personal passwords. If you don't use the same PSK for encoding and decoding, then the result is empty.

If a user wants to change the PSK, it is required to use "Change it" feature from the PSK sub-menu.​

[fpaquet]

Yes, this is clear, but you have 3 Situations there:

1. Store the personal saltkey Line 538 if ($dataReceived['psk'] != "") --> if it is not empty
2. change salt Line 590 if ($_POST['key'] != $_SESSION['key']) break on Line 553
3. Reset the personal saltkey Line 629 if (!empty($_SESSION['user_id']) && !empty($_POST['sk'])) --> if not empty

---

i'm not quite sure what's stored in $dataReceived ? What is the difference between $dataReceived['psk'] and $_SESSION['my_sk'] ? Line 530/539

[fpaquet]

What PHP version do you use ? We use php 5.5.29.