Open jsjhb opened 5 years ago
hi @jsjhb did the user.save
returned true? If not, could you please paste here the results of user.errors
?
user.save gave a true, and errors, please have a look (username, email, and hashes modified):
`buildhost:/srv/www/obs/api # RAILS_ENV="production" /usr/bin/rails.ruby2.5-5.1.4 console DEPRECATED: Please update your options.yml by running 'rake migrate_options_yml' Loading production environment (Rails 5.2.3) irb(main):001:0> user = User.where(:login => 'olddude').first => #<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2018-04-04 12:49:13", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "dude@elduder.io", realname: "", password_digest: nil, deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>
irb(main):002:0> user.password = "B1gBu115iht" => "B1gBu115iht"
irb(main):003:0> user.save => true
irb(main):005:0> user.errors => #<ActiveModel::Errors:0x0000560ab719e340 @base=#<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2019-07-25 17:00:09", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "dude@elduder.io", realname: "", password_digest: "$2a$12$z/Roa8r.NS165K8vdnsGmOjvHLdmfhg2eMNvce.G2jB...", deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>, @messages={}, @details={}>
irb(main):006:0> exit **Airbrake: closed
buildhost:/srv/www/obs/api # `
You also need to give theuser.password_confirmation
now as we started to use has_secure_password
, see the docu.
I did that initially, with the same result.
Also, can you please give a link to the docu?
The password_confirmation is not the problem. I can confirm the issue - I actually have it every time I load a production dump into my development env.
You can set passwords all day long, as long as you aren't wiping also the deprecated_password field, this one will be used.
Issue Description
After resetting a password for a user in a local installation of obs using the ruby console using
the user is still not able to login. By looking in the database a distinguishing feature of the account is now, that both password_digest and the triple (deprecated_password, deprecated_password_hash_type, deprecated_password_salt) are set for the user. As the deprecated password is still set, login with the newly set password fails. Setting deprecated_password* to "NULL" lets the user login with the new password.
It seems to me, that a successful login with deprecated_password migrates the entries to use password_digest and sets the deprecated_password fields to NULL.
Documentation about administrative password change is lacking, where such behavior could have been noted down.
Expected Result
Resetting password with the crude ruby console should work, i.e. a present password_digest should have precedence over the deprecated password.
Ideally there would be a password change function in the "Configuration" - "Manage Users" page, without the need for the ruby console or direct manipulation of the database, like proposed in #699 .
How to Reproduce
Further Information
Seen on: https://pmbs.links2linux.de 2.10-lp151.10.1 on openSUSE Leap 15.1