Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-135882

When silently updating a user's password, the passwordModifiedDate field is never updated

Details

    Description

      Description
      When silently updating a user's password (e.g., during an LDAP import process), we check to see if the new password value is different from the old password value. If so, we update the user's passwordModifiedDate value to reflect the time at which this update occurred. This check occurs in a method called _isPasswordUnchanged, which is supposed to return false if the new password is different from the old password.

      However, this check does not work properly, because we don't call the isPasswordUnchanged method until _after we have already updated the user's password with the new value.

      We should reorder the logic so that the call to _isPasswordUnchanged comes before the update to the user's password with the new value. This will ensure that the user's passwordModifiedDate field is properly updated any time the password has been changed to a new value.

      Link to relevant logic on GitHub

      Steps to Reproduce
      1. Set up an LDAP server that store users' passwords.
      2. Add a user to your LDAP server. Add a password for the user.
      3. Start up Liferay and log in as the admin user.
      4. Configure your Liferay instance to import from the LDAP server from step 1.
      5. In your Liferay LDAP import configuration, enable importing user passwords, and importing on startup.
      6. Navigate to Control Panel > Instance Settings > User Authentication. Change the authentication method to "By Screen Name" and click Save.
      7. Restart the Liferay server to trigger an LDAP import process. Wait for the LDAP import to complete.
      8. Query your database's User_ table to verify that the user was imported from LDAP successfully. Make a note of the value of the passwordModifiedDate column for this user.
      9. In your LDAP server, update the user's password to a different value.
      10. Log into Liferay as your LDAP user using the updated password from step 9.
      11. Query your database's User_ table to get the value of the passwordModifiedDate column for the imported LDAP user.

      Expected Result: The passwordModifiedDate column would have the value that represents the timestamp at which you updated the user's password in step 9.
      Actual Result: The passwordModifiedDate column has the same value that it has in step 8.

      Attachments

        Activity

          People

            sharry.shi Sharry Shi
            michael.bowerman Michael Bowerman
            Kiyoshi Lee Kiyoshi Lee
            Michael Bowerman Michael Bowerman
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              1 year, 26 weeks, 6 days ago

              Packages

                Version Package
                7.2.10 DXP FP15
                7.2.X
                7.3.10.3 DXP SP3
                7.3.X
                7.4.13 DXP GA1
                7.4.3.4 CE GA4
                Master