Rank: Member
Joined: 4/10/2009(UTC)
Posts: 120
Location: Mechanicsville, VA
Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
|
Upgraded to 5.7.1 on Saturday. Now when users log in to the site, non-admin users, they are told they don't have permissions to continue. If I create a new user, however, then that new user can log in and function just fine.
Anybody else see this pattern? |
Tim
|
|
|
|
|
|
Rank: Member
Joined: 4/13/2009(UTC)
Posts: 3
|
I've encountered this as well... It can be remedied temporarily by going into the user table and setting all users' "PasswordLastSet" field to yesterday's date.
I believe the problem is coming from all users having to reset their passwords after a specific time period (a PCI compliance thing.) When they log in, the get redirected to ~/BVAdmin/PasswordExpired.aspx. This page validates a user for admin permissions and the non-admin user is given the no permission error, and because of this they won't be able to log into the store. |
|
|
|
|
|
|
Rank: Member
Joined: 4/10/2009(UTC)
Posts: 120
Location: Mechanicsville, VA
Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
|
Marcus, would you like this reported as a bug?
I reset all of my users passwordlastset field and I no longer have the issue. This will, however, be an issue again when the passwords have to be reset after 30/60/90 days or whatever. |
Tim
|
|
|
|
|
|
Rank: Member
Joined: 4/10/2009(UTC)
Posts: 120
Location: Mechanicsville, VA
Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
|
BTW, I know a lot of sites have gone to 5.7... you guys should check to make sure your users can log in. |
Tim
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
Yes, this should be reported as a bug and we'll issue a fix very shortly. Sounds like a critical issue.
|
|
|
|
|
|
Rank: Member
Joined: 4/10/2009(UTC)
Posts: 120
Location: Mechanicsville, VA
Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
|
|
Tim
|
|
|
|
|
|
Rank: Member
Joined: 4/28/2003(UTC)
Posts: 141
|
Is there a fix for this yet? Richard www.somethingmorestore.com
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
We are still working on this. We expect to issue a patch tomorrow.
|
|
|
|
|
|
Rank: Member
Joined: 4/28/2003(UTC)
Posts: 141
|
Thanks for the update Marcus Richard www.somthingmorestore.com
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
We have identified the issue and will be issuing a patch later today. Here are the details in case you want to correct this in your own customized code: The cause of the issue is that the AdminToolBar is checking for "LoginToAdmin" permissions. When we added PCI checks for expired passwords we inserted them into the wrong section of permission checks for users. This meant that even a check for "LoginToAdmin" triggered the check for expired password even if the user did not have "LoginToAdmin" permissions. The fix was to move the checks for expired passwords into the lower section of the permission check ensuring that only users with admin permissions will actually get expired password warnings. Here is the updated code from UserAccount.vb in the Core project around line 659: Code:
Public Shared Function DoesUserHaveAllPermissions(ByVal userId As String, ByVal permissionIds As Collection(Of String)) As Boolean
Dim result As Boolean = False
Dim userPermissions As New Collection(Of RolePermission)
userPermissions = RolePermission.FindByUserId(userId)
If userPermissions IsNot Nothing Then
Dim permissionFoundCount As Integer = 0
For i As Integer = 0 To permissionIds.Count - 1
Dim permissionFound As Boolean = False
' Check each permission
For j As Integer = 0 To userPermissions.Count - 1
If userPermissions(j).Bvin = permissionIds(i) Then
permissionFound = True
permissionFoundCount += 1
Exit For
End If
Next
If permissionFound = False Then
result = False
Exit For
Else
' Check license when checking admin permissions
If permissionIds(i) = Membership.SystemPermissions.LoginToAdmin Then
SessionManager.CheckLicense()
' 5.7: Added PCI check to ensure default username is
' not allowed out of the box
SessionManager.CheckDefaultAdminUserForPCI()
Dim u As UserAccount = UserAccount.FindByBvin(userId)
If (u IsNot Nothing) Then
If u.IsPasswordExpired() Then
If (HttpContext.Current.Request.RawUrl.Contains("PasswordExpired.aspx")) Then
Exit For
End If
If (HttpContext.Current.Request.RawUrl.Contains("GettingStartedEmail.aspx")) Then
Exit For
End If
HttpContext.Current.Response.Redirect("~/bvadmin/PasswordExpired.aspx")
End If
End If
Exit For
End If
End If
Next
If permissionFoundCount = permissionIds.Count Then
result = True
End If
End If
Return result
End Function
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.