After failed password transaction the logged in user is swapped to another user

pigeonflight · April 29, 2020, 6:29pm

I've been able to replicate this behaviour on Plone 5.2.1

Plone 5.2.1 (5208)
CMF 2.4.2
Zope 4.1.3

Log in as a site administrator
log in as a site administrator and attempt to change the password for a user under:
Site Setup > Users and Group

I get an error:

Traceback (innermost last):
  Module ZServer.ZPublisher.Publish, line 151, in publish
  Module ZServer.ZPublisher.Publish, line 393, in commit
  Module transaction._manager, line 252, in commit
  Module transaction._manager, line 131, in commit
  Module transaction._transaction, line 311, in commit
  Module transaction._transaction, line 302, in commit
  Module transaction._transaction, line 447, in _commitResources
  Module transaction._transaction, line 424, in _commitResources
  Module zope.sendmail.delivery, line 80, in tpc_vote
  Module zope.sendmail.mailer, line 62, in vote
  Module smtplib, line 256, in __init__
  Module smtplib, line 318, in connect
  Module smtplib, line 366, in getreply
SMTPServerDisconnected: Connection unexpectedly closed: [Errno 104] Connection reset by peer

At this point I am logged in as an site administrator:

After the failure I click on any link and I become another user. Specifically I become the user whose password I was attempting to reset.

pigeonflight · April 29, 2020, 7:44pm

Further information. The identical setup on Plone 5.1.6 does not behave in that manner.
So I'm sticking with 5.1.x for now.

tmassman · April 30, 2020, 4:33am

This also happens when there is no error after resetting the password for a user. Tried on a local installation with


    Plone 5.2.1 (5208)
    CMF 2.4.2
    Zope 4.1.3
    Python 3.7.7 (default, Mar 10 2020, 15:43:03) [Clang 11.0.0 (clang-1100.0.33.17)]
    PIL 6.2.1 (Pillow)
    WSGI: On
    Server: waitress 1.4.2

tmassman · April 30, 2020, 4:49am

It does not happen when I'm logged in as a Zope user.

tmassman · April 30, 2020, 5:24am

I was able to track it down a bit:

After resetting a password I can see the __ac Cookie is changed.
When disabling the acl_users.userFolderEditUser() in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/controlpanel/browser/usergroups_usersoverview.py#L187, the user is not changed
When resetting the password for multiple users, the last user in the list is getting active.

But I couldn't find the part which is actually switching the user.

@jensens, @mauritsvanrees can you take a look at this?

EDIT (I had to edit since only 3 replies are allowed)

I found it: https://github.com/plone/Products.PlonePAS/commit/56470e67248608c57572bfb361f4e1b80bb9cd1b

The notify(CredentialsUpdated(self.getUserById(principal_id), password)) at the end triggers a _setupSession() which calls the _setCookie() which at the end set the new cookie, but with the userid from the selected user, not the current user.

EDIT 2

Issue created: https://github.com/plone/Products.PlonePAS/issues/57

EDIT 3

The good thing is: it is not possible to reset the password of a user with Manager role when one is a Site Administrator only. So one can not switch to a user with more permissions.

mauritsvanrees · May 6, 2020, 10:03am

For the record, this was reported to the Plone Security Team before this was posted here. We decided it was definitely a bug that should be fixed, but it is not a security issue: you cannot get extra privileges because of this.

pigeonflight · May 7, 2020, 11:19am

Thanks @mauritsvanrees & @tmassman assuming no other issues, I should be ready to start my journey to Python 3 and Plone 5.2 when Products.PlonePAS #57 is addressed.