-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Locked user can login by resetting his password #1413
Comments
is that not a feature? i would assume an account to become locked when you enter your password incorrectly too many times - if you want to deactivate an account, you would use |
oh, i see. we really need a more semantical definition of the locked and |
This may be pretty serious security breach I guess ... My point of view on flags:When user is author somewhere, he can't be removed because of data integrity lose. There is need to keep him in database, but still be able to act with him like he is deleted. Right now fos user has Enabled = trueUser is verified, that means user is email owner for sure. This can be verified by resseting password or clicking on confirmation email after registration. Locked = trueUser is forbbiden to manipulate his accout, because it is locked down. That means no password reset, login etc. Expired = trueUser is archived by admin or after some time from last login (CRON service?).~~ When he logs again, revalidation is required.~~ CredentialsExpired = trueThis is checked after login and if true, user should be forced to change his password and revalidate himself.
There may be need to legalize user after registration by admin. It will be nice to have next flag for this case (legalized). This flag may act in same way as locked flag, but use it only if set in configuration... |
as these flags are defined by core symfony, i would think its a definition that symfony should provide (or maybe it already is somewhere and we did not find it yet). /cc @weaverryan @wouterj |
I looked in to code little bit and there is missing call of userChecker->checkPreAuth() which is usually called on login, but not on autologin after resetting password and registration action. All about this issue happens in AuthenticationListenerer, where only $user->isEnabled() is checked. After that loginManager->loginUser() is called. In loginUser is called userChecker->checkPostAuth() only. To solve this, there must be called userChecker->checkPreAuth() in AuthenticationListener and replace isEnabled() check (which is done in userChecker PreAuth anyway) or before userChecker->checkPostAuth() in LoginManager |
Whoa, this looks pretty serious. Any recommended workaround to really prevent locked users from logging in? |
This part of Symfony is a direct port of Spring Security, which was named Ageci some years ago. Here is an explanation of the semantics of various flags from an old blog post about Ageci: " Locked indicates an account has been automatically suspended due to invalid login attempts. Usually the passage of time or (less often) requesting manual unlocking is required to release it. The distinction is not used by Acegi Security code aside from providing more informative errors to the user. There is also an order in which different exceptions should be returned, so that a disabled or locked account for instance will not return a bad credentials exception. Refer to the JavaDocs for more details. see http://forum.spring.io/forum/spring-projects/security/340-whats-the-difference-between-locked-and-disabled-exceptions for the original discussion. |
There seems to be a bug indeed! I just checked and can confirm that a locked user cannot login. When trying to do so, one gets the message: |
This is definitely un-intuitive at best, and a severe bug at worst, especially if one has implemented the user administration front-end to change the "locked" flag, instead of the "enabled" flag, when a user is disabled. A simple work-around would be to extend ResettingController.php from FOSUserBundle, and log the user out after the password has been reset. Within the resetAction(), one could do:
One could then create a logout success handler to check the referrer, and show a message asking the user to login again, if he/she just came from the password reset page. (Somewhat related: http://www.reecefowell.com/2011/10/26/redirecting-on-loginlogout-in-symfony2-using-loginhandlers/) |
OK, allowing disabled/locked users to re-login by resetting their password (or with their remember me cookie symfony/symfony#10242 ) isn't so great, so I've digged around and here are my findings. There are mainly 2 things at play here:
Timeline:
@dbu Overall, it seems like @vlastimilmaca 's comment was on the spot and we could start with 2 things:
|
@hellomedia thank you for looking into this! Some additional considerations: It seems that according to the above @fabpot / Spring Security definitions, the |
@rayrigam I agree. My understanding at this point :
|
Hi, I agree with rayrigam - if locked is set to true, or enabled is set to false, the user should not be able to reset his or her password. |
@hellomedia I agree with your points. Technically, according to the above definitions, a locked user should not be allowed to reset the password without the passage of time or the manual unlocking; however, given that there is no current system to automatically lock an account and record the passage of time, it does not seem like a big deal to go either way when |
there is no automatic system to lock the user either (unless you implemented your own) |
another potential security issue:
so the locked/enabled verification (whatever it ll be at the end) should be done in |
sorry, to deviate from the core topic, but are expired and credentials_expired actively used or are they just there for convenience. My guess was they probably are there to implement your own authentication, but i couldnt find any helpful documentation. |
I think they are there for convenience. implementation is left up to you. |
Any updates on this? |
If I am not mistaken, if you use Fabien's definitions above for |
Unless I missed something, I think this is still a serious issue. As indicated in my previous comment, a user MUST NOT be allowed to reset his/her password if |
If a user is disabled, isn't that checked in Authentication Listener ? |
Symfony changed the behaviour of the Cookie Based login and I think this is related to the Authentication manager inside the FOSUserBundle symfony/symfony#11058 |
Here is a pull request for this. Please comment the PR : #1673 |
A locked user can login if he resets his password and click the email link. Maybe a check should be added in the controller ?
The text was updated successfully, but these errors were encountered: