Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3877

Changing login password deletes secret answer

    XMLWordPrintable

    Details

    • Complexity:
      Low

      Description

      Go to 'My Profile'. Set secret question and answer to non-empty strings and save. Then change password and save. User's secret answer is deleted (you can see this in the database).

      I'm going to assume this is a bug, rather than a security feature because

      • There's no warning to the user
      • It inadvertently re-instates the secret question because its on the same form

      I think the problem is HibernateUserDAO.updateUserPassword(..) which saves a new LoginCredentials object for the user with nulls for secret question and answer.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rpuzdrowski Radosław Puzdrowski
              Reporter:
              rowanseymour Rowan Seymour
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 hours Original Estimate - 2 hours
                  2h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d