Code

#20306 closed Bug (invalid)

password change accepted, but password doesn't work (code.djangoproject.com)

Reported by: monuszko Owned by: nobody
Component: *.djangoproject.com Version: 1.4
Severity: Normal Keywords:
Cc: bmispelon@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

While trying to report the previous bug, I uncovered a bug with password change mechanism. Steps:

  1. Use Firefox, set character encoding to UTF-8
  1. Go to https://www.djangoproject.com/accounts/password/reset/
  1. Request a password change, check your mail, follow the password change link.
  1. Type in
    Kołobrzeg
    
  1. You will get a message saying the password has been changed successfully. However, you will not be able to log in using this password.

The issue seems to be with unicode and/or polish characters. I deliberately chose a short word above, to rule out things like spaces not being accepted.

Either the password change system should reject passwords with some characters while filling in the form, or it should accept them and they should work 100%.

Attachments (0)

Change History (1)

comment:1 Changed 12 months ago by bmispelon

  • Cc bmispelon@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Hi,

I believe there is a problem here, but it's not the one you're describing.

I agree with all your steps up until step 4 but I find that the password is changed successfully at this point.

Here's what I found:

  • If you give a wrong username/password on this page, you see an error message. If you give the correct credentials, you get logged in and redirected to https://www.djangoproject.com/.
  • This page has no indication of whether you're actually logged in which makes it seem like it failed, but it actually worked.
  • To make matters worse, you're only logged in for www.djangoproject.com and not for code.djangoproject.com which adds to the confusion.

I'm going to mark this as invalid because the password reset feature does work, even if your password contains non-ascii characters.

However, I think there's room for improvement in the user-experience side of the process (as your ticket shows, it can be quite confusing), so if you have ideas on how to improve things, I encourage you to open another ticket for it.

Thanks for your report.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.