After failed password transaction the logged in user is swapped to another user

I've been able to replicate this behaviour on Plone 5.2.1

  • Plone 5.2.1 (5208)
  • CMF 2.4.2
  • Zope 4.1.3

Log in as a site administrator
log in as a site administrator and attempt to change the password for a user under:
Site Setup > Users and Group

I get an error:

Traceback (innermost last):
  Module ZServer.ZPublisher.Publish, line 151, in publish
  Module ZServer.ZPublisher.Publish, line 393, in commit
  Module transaction._manager, line 252, in commit
  Module transaction._manager, line 131, in commit
  Module transaction._transaction, line 311, in commit
  Module transaction._transaction, line 302, in commit
  Module transaction._transaction, line 447, in _commitResources
  Module transaction._transaction, line 424, in _commitResources
  Module zope.sendmail.delivery, line 80, in tpc_vote
  Module zope.sendmail.mailer, line 62, in vote
  Module smtplib, line 256, in __init__
  Module smtplib, line 318, in connect
  Module smtplib, line 366, in getreply
SMTPServerDisconnected: Connection unexpectedly closed: [Errno 104] Connection reset by peer

At this point I am logged in as an site administrator:

After the failure I click on any link and I become another user. Specifically I become the user whose password I was attempting to reset.

1 Like

Further information. The identical setup on Plone 5.1.6 does not behave in that manner.
So I'm sticking with 5.1.x for now.

This also happens when there is no error after resetting the password for a user. Tried on a local installation with


    Plone 5.2.1 (5208)
    CMF 2.4.2
    Zope 4.1.3
    Python 3.7.7 (default, Mar 10 2020, 15:43:03) [Clang 11.0.0 (clang-1100.0.33.17)]
    PIL 6.2.1 (Pillow)
    WSGI: On
    Server: waitress 1.4.2

It does not happen when I'm logged in as a Zope user.

I was able to track it down a bit:

  1. After resetting a password I can see the __ac Cookie is changed.
  2. When disabling the acl_users.userFolderEditUser() in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/controlpanel/browser/usergroups_usersoverview.py#L187, the user is not changed
  3. When resetting the password for multiple users, the last user in the list is getting active.

But I couldn't find the part which is actually switching the user.

@jensens, @mauritsvanrees can you take a look at this?

EDIT (I had to edit since only 3 replies are allowed)

I found it: https://github.com/plone/Products.PlonePAS/commit/56470e67248608c57572bfb361f4e1b80bb9cd1b

The notify(CredentialsUpdated(self.getUserById(principal_id), password)) at the end triggers a _setupSession() which calls the _setCookie() which at the end set the new cookie, but with the userid from the selected user, not the current user.

EDIT 2

Issue created: https://github.com/plone/Products.PlonePAS/issues/57

EDIT 3

The good thing is: it is not possible to reset the password of a user with Manager role when one is a Site Administrator only. So one can not switch to a user with more permissions.

2 Likes

For the record, this was reported to the Plone Security Team before this was posted here. We decided it was definitely a bug that should be fixed, but it is not a security issue: you cannot get extra privileges because of this.

Thanks @mauritsvanrees & @tmassman assuming no other issues, I should be ready to start my journey to Python 3 and Plone 5.2 when Products.PlonePAS #57 is addressed.

Plone Foundation Code of Conduct