Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3877

Changing login password deletes secret answer

    XMLWordPrintable

Details

    Description

      Go to 'My Profile'. Set secret question and answer to non-empty strings and save. Then change password and save. User's secret answer is deleted (you can see this in the database).

      I'm going to assume this is a bug, rather than a security feature because

      • There's no warning to the user
      • It inadvertently re-instates the secret question because its on the same form

      I think the problem is HibernateUserDAO.updateUserPassword(..) which saves a new LoginCredentials object for the user with nulls for secret question and answer.

      Gliffy Diagrams

        Attachments

          Issue Links

            Activity

              People

                rpuzdrowski Radosław Puzdrowski
                rowanseymour Rowan Seymour
                Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Time Tracking

                    Estimated:
                    Original Estimate - 2 hours Original Estimate - 2 hours
                    2h
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 2 days
                    2d