Announcement

Collapse
No announcement yet.

Security Module Users Update Bug

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Module Users Update Bug

    Hi,

    Using SC8, after the security module is created with the MD5 option for passwords, when you update any info of a user from the security module, the password is saved in plain text, no more MD5 algorithm is used. You can see the clear password from the database table "users".

    caga

  • #2
    SC should look into it, but meanwhile it's pretty easy to add the MD5({password}) into the onvalidate event.
    Albert Drent
    aducom software netherlands
    scriptcase partner, reseller, support and (turn-key) development
    www.scriptcase.eu / www.scriptcase.nl

    Comment


    • #3
      Thank you aducom.

      I dont know if there is a variable for the password but in the update form there is no password field. If this is the case maybe in the onvalidate event we can read and write again with MD5.

      Comment


      • #4
        No, you can set the password only once, then it's up to the end-user to change his password. But again, it's pretty easy to modify the generated applications to your specs. Just edit the form and add the necessary fields.
        Albert Drent
        aducom software netherlands
        scriptcase partner, reseller, support and (turn-key) development
        www.scriptcase.eu / www.scriptcase.nl

        Comment


        • #5
          Hello,

          Issue reported to our bugs team.

          regards,
          Bernhard Bernsmann

          Comment


          • #6
            Originally posted by cagabit View Post
            Hi,

            Using SC8, after the security module is created with the MD5 option for passwords, when you update any info of a user from the security module, the password is saved in plain text, no more MD5 algorithm is used. You can see the clear password from the database table "users".

            caga
            At first, you should hide the password fields in update mode (client form). Soon after, check what our friend, aducom he said.

            If the problem still persists, please tell me step by step to your current problem.

            Thank you so much.
            Best regards,
            Thomas Soares.
            ScriptCase International.

            Email: t.soares@scriptcase.net
            Visit our Blog: http://www.scriptcase.net/blog/
            Visit out fan page: http://www.facebook.com/Scriptcase

            Comment


            • #7
              The Problem is Real,
              here is a step by step instruction.

              Reproduction
              1 Step
              Generating Security with MD5 settings via Module on SC Main Menu->Options (Remember User and Password)

              2 Step
              Run sec_Login and login
              Go in the Sec Menu select "Users" the grid sec_grid_sec_users was shown

              3 Step
              In this grid select "Edit", the form sec_form_edit_users was opening, but i can't see the login and pwd fields, ok no problem!

              4 Step
              Save it without any changes.

              5 Step
              Run sec_Login and you can see, that you can't login, becouse the password was wrong.

              then look in the table, the Password was in cleartext. By the next Login of this User, the password was wrong. Logical.

              If you want to add a new group for example, by the next login, "Access denied"!

              And the "workaround" written by Adocum, dosn't work also, sorry. Or i misunderstand his way.

              He write "it's pretty easy to add the MD5({password}) into the onvalidate event."

              I have done this. i have inserted MD5({password}) on onValidate in the "sec_form_edit_users"?!?

              the result
              Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in D:\Programme\NetMake\v8\wwwroot\scriptcase\app\Blu eOrganizer\sec_form_edit_users\sec_form_edit_users _apl.php on line 1370

              You understanding what i mean?

              i knowing, i don't now, near to 50 basic bugs from SC. Elementary things. If you construct a new car, is better you drive first, so you can see if the basic requrements are up and running. For example, if you have 4 wheels, lights, signal and all ohter basic things.

              An other little bug, in this security story, if you change the theme, the edit forms for user or Controls dosn't change the theme, very ugly.
              Now i have a workaround, but when leaf my App running 2 hours whitout logout, my app lose the involved global variable. Automatic logout?

              I hope the problem with MD5 was fixed in the next days, i have my rollout at the end of january

              Comment

              Working...
              X