Bug in Security?

ingjfnc · May 7, 2020, 8:05pm

Hi

I am using the security module from Scriptcase, however I am not able to do a successful password recovery as it is always failing with error message Old Password: must have at least 6 characters.

I did put a restriction on the password for the users, however this is affecting the password reset.
I could trace the error to the section of code called sec_app_change_pswd_apl.php

there is a section where it validates the amount of characters of the old password (useless as logically if you want to restrict the amount of characters of the password it should be checking the new password, not the one that is already set), however the variable is empty because the password reset method used it by sending the activation code by email so the user never types the old password.

if (NM_utf8_strlen($this->old_pswd) < 6)

is there any way I can fix this from the scriptcase interface? I don’t want to modify the php code as when I export the project again in the future my changes will be lost and probably I won’t remember what I did to fix it

Ideally I would like to disable the verification of the amount of characters for the old password (only) as I said above I think it is a useless process

thanks

aducom · May 7, 2020, 8:57pm

You could see it as an error, but you can correct this issue easily yourself. There are more issues, second password when you change it has a shorter fieldlength then the original etc. It’s a good start for your security module, but it needs finetuning.

ingjfnc · May 7, 2020, 8:57pm

yes, the question is what is the best way to fix it without having to change the code as the changes would get overwritten when deploying the project again in the live server.

ingjfnc · May 7, 2020, 8:57pm

I tried to modify the even section for the onload validations

if(isset([act_code]) && !empty([act_code]))
{
sc_field_display({old_pswd}, ‘off’);
}
else
{
sc_field_display({old_pswd}, ‘on’);
sc_btn_display(“exit”,“on”);
}

originally it checks if the activation code has been provided or not to show the field “old password” in the form. I tried to set in the conditional that when the activation code is provided set the old password with a default string longer than 6 characters, say for example “1234567” however that didn’t work.
I tried setting up $old_pswd=“1234567”; {old_pswd}=“1234567” and $this->old_pswd=“1234567”; no luck in any case

aducom · May 7, 2020, 8:57pm

I think that there’s a little misunderstanding. You only generate the security module(s) once. So you can change anything you like and then deploy. As long as you don’t re-generate the modules (which only makes sence if you would change the security model) you will work forever with these (modified) modules.

ingjfnc · May 7, 2020, 8:57pm

oh ok I didnt know that.
so just to confirm, this is a known bug and the only way to fix it is manually in the code, right?