Launchpad itself

Password set when claiming a Launchpad profile is not used when logging in

Bug #554153 reported by Guilherme Salgado
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Edwin Grubbs
Launchpad itself 10.04

Bug Description

When you claim a Launchpad profile you set a password to it, but that password will not be the one matched against what you enter on the login form. That's because the claiming happens on Launchpad (so the password is stored there) and the login happens on the Login Service, which has no access to the stored password.

If the profile was created before the DB was split, one can just go to login.lp.net and ask for a password reset using that profile's email address to make it usable. However, if the profile was created after the split, it might be possible to make it usable just by registering on login.lp.net using the same email address, but I'm not sure that'd work.

Related branches

lp:~edwin-grubbs/launchpad/bug-554153-claim-profile-bug
Abel Deuring (community): Approve (code)
Diff: 654 lines (+56/-377)
10 files modified
lib/canonical/launchpad/browser/logintoken.py (+4/-56)
lib/canonical/launchpad/doc/logintoken-pages.txt (+9/-77)
lib/canonical/launchpad/interfaces/authtoken.py (+0/-7)
lib/canonical/launchpad/zcml/logintoken.zcml (+0/-7)
lib/lp/registry/browser/configure.zcml (+0/-6)
lib/lp/registry/browser/person.py (+22/-62)
lib/lp/registry/stories/person/xx-person-claim-merge.txt (+17/-2)
lib/lp/registry/stories/person/xx-person-claim.txt (+0/-148)
lib/lp/registry/stories/team/xx-team-claim.txt (+4/-6)
lib/lp/registry/templates/person-index.pt (+0/-6)
Revision history for this message
Curtis Hovey (sinzui) wrote :

I am not sure this is a registry issue. This looks like an authentication issue. I honestly do not understand the account and password split. I assumed Launchpad will not have account or password at all. I expect something has verified the user and called ensurePerson() to create the person's profile if it is missing.

Changed in launchpad-registry:
status: New → Incomplete
Revision history for this message
Guilherme Salgado (salgado) wrote : Re: [Bug 554153] Re: Password set when claiming a Launchpad profile is not used when logging in

On Fri, 2010-04-02 at 19:43 +0000, Curtis Hovey wrote:
> I am not sure this is a registry issue. This looks like an
> authentication issue. I honestly do not understand the account and
> password split. I assumed Launchpad will not have account or password at
> all. I expect something has verified the user and called ensurePerson()
> to create the person's profile if it is missing.

The +claim page is used to claim a placeholder profile that was created
by one of our scripts, but that page just creates a login token and
email the user with instructions to complete the claiming. The actual
bug is in the logintoken code (which I don't know if it's registry or
foundations).

Anyway, I think the only thing we can do here (without completely
redesigning the whole account-claiming workflow) is to change the +claim
page to require the user to be logged in before proceeding. That will
cause the claimed profile to be merged into the account the user was
logged in.

--
Guilherme Salgado <email address hidden>

Revision history for this message
Curtis Hovey (sinzui) wrote :

<salgado> sinzui, in fact, I think the +claim person will have to be removed/disabled. I'll explain why
<salgado> when an anonymous user looks at a placeholder profile (one which is not activated), they see a link to +claim
 following that takes them through the logintoken workflow, and in the end they reset the password of that profile, thus activating it
 this no longer works because the password set in LP can't be used to login later
 however, when a logged in user looks at a placeholder profile, they see a link to /people/+requestmerge
 so we could just make that the behaviour for anonymous users
<sinzui> salgado, yes. I agree
<salgado> when we send them to +requestmerge they're asked to login, but they don't have an account so they create one (which is as complicated as claiming an existing one) and after that they can claim the existing profile (by way of merging)
<sinzui> salgado, I think someone can start this fix in a few days: remove the view, verify all the links claim links point to +requestmerge, remove unused tests.

Changed in launchpad-registry:
status: Incomplete → Triaged
importance: Undecided → High
milestone: none → 10.04
Edwin Grubbs (edwin-grubbs)
Changed in launchpad-registry:
assignee: nobody → Edwin Grubbs (edwin-grubbs)
Edwin Grubbs (edwin-grubbs)
Changed in launchpad-registry:
status: Triaged → In Progress
Curtis Hovey (sinzui)
Changed in launchpad-registry:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
tags: added: qa-needstesting
Curtis Hovey (sinzui)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Ursula Junque (ursinha) wrote : Bug fixed by a commit

Fixed in stable r10736 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10736>

tags: added: qa-needstesting
removed: qa-ok
Curtis Hovey (sinzui)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Curtis Hovey (sinzui) wrote : Bug 554153 Fix released

Fixed released in launchpad-project 10.04.

Changed in launchpad-registry:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.