SC7 - Retrieve password does not work

Having an active security module, I was testing the “retrieve password” link on the login app. Clicking the link I am presented with an app asking for the login I want to reset the password for - fair enough.

On providing the login you then get the change password app showing 2 fields - “password” and “confirm password”. Normally (if done from within the admin menu) it would show 3 fields - “old password” being the extra field. Clearly when done this way (i.e. reset password externally), “old password” is not relevant so it is coded to be hidden.

On entering the new password into the 2 fields I get an error saying that the old password must be at least 4 characters! What the hell? This is clearly occurring because SC is checking the “old password” HIDDEN field - which is of course empty (hence complaining it is less than 4 characters). The thing is, why is SC even checking the “old password” field which is not relevant in this scenario?

I did find the following post which is pretty much the same problem - but is a solved closed thread as this is allegedly fixed in SC7 - er no it’s not (hence this new post).

Now, I can see the code and what is going on and could fix it manually - but I am reticent to do this because:

  1. It is supposed to already be fixed - can anyone confirm this? And if that is true, what am I missing please? I am a relatively new customer and have only ever worked in SC7 - the specific versions of the apps involved I have are: app_change_pswd (7.01.0020) and app_retrieve_pswd (7.01.0020)

  2. Given it is code supplied by SC I am wary of changing it only for it to possibly be replaced during a future update (with still broken code).



If you are certain this is a bug, and that you can fix it, future updates will not replace any existing code from your applications. Unless if you create a new security module, but there should be no worries to existing applications.

Issue reported to our bugs team.

Bernhard Bernsmann

Ah okay, thinking about it, that makes sense re concern with overwrite - thanks Bernhard.

In the meantime then I will endeavour to “fix” the “password change” app so that it knows how to differentiate between:

  1. A logged in user change password request (via the logged in user clicking “change password” on the “admin” menu), and

  2. An external change password request (via getting an email with a link to reset the password after user clicks “reset password” link on login app).

For the first situation no change is necessary. The second situation needs to somehow disregard validating the “old password” and let the app just change the password. Now, the validation (aside from it currently checking the old password field is empty) is that the field itself has a property stating the minimum length of the password (in my case 4 characters). It seems to be this validation that is still occurring, even though the field is hidden with:

sc_field_display({old_pswd}, 'off');

Am I right that if I also use the macro, as below, that will inhibit any validation of that field (as well as being hidden still)?




I tried to fix this as indicated in my previous response - but this does not work as I am unable to trap (in onValidate) when SC is erroneously trying the check the old password (i.e. when a user clicks on the “retrieve password” link in the retrieve password email they get, and then clicks on OK once they have provided a new password). There is nothing in the change password app that I can see that tries to validate old password in that scenario - I would list the code I would use but it fails with the error before it gets to my code, so it looks like something SC does internally is at fault here?

This is the same in V8 too.


Issue is registered on our bugtracker.

Bernhard Bernsmann

[SOLVED] SC7 - Retrieve password does not work

Ok - finally sorted this (SC7 and SC8)

The issue was simply that in xxx_retrieve_pswd (where xxx is whatever prefix you have set) - the “old_pswd” field had a minimum length value set as 6. Changing it to 0 fixes the issue (especially as it is not necessary to verify the length of the old password (because if it’s the wrong / mismatched old password then that’s good enough validation).

adz1111, thanks for the tip. I’m on version 8 and was going crazy trying to fix this until I found your note.

My min password was 5, so I kept getting the “error Old password must have at least 5 characters” error on the retrieve_pswd AND the change_pswd forms.
I had to change the min size to 0 in both apps and now everything works like a champ.

Thank you!

Glad it helped!

Drove me potty too! I’m on 8 now as well (and figured it out on 8, as it happens). The point being that for old password - validating the length is pointless. As long as it matches when checked against the DB, then enough said.

I’m trying to trouble shoot a problem reseting password.
I found this thread and thought it would be my answer, however, my xxx_retrieve_pswd applications does not have an ‘old password’ field. Why would that be?

old_pswd field is NOT in that “retrieve” app - it’s in xxx_change_pswd app - which the “retrieve” app calls - was a misquote on my part in a previous post. However, I do state that “journey” in the very first post.