Autoreset Password

rt12 · October 18, 2004, 9:43pm

Guys:

I have the following ‘scrips’ to get executed in “reset password” queue upon
creation of a new ticket, I was using RT 3.2.2. Here’s the problem: Everytime
an un-privileged user resets his password, he gets an email back with his
password and the password for few other un-privileged users.(Huge Security
problem) Its Random, sometime he only gets his password and sometimes email has
few more usersname added to it. Help on this will be appreciated. BTW: this use
to work with RT 3.0.10

-----------------Scrips----------------------------

{*RT::User::GenerateRandomNextChar = &RT::User::_GenerateRandomNextChar;

if (($Transaction->CreatorObj->id != $RT::Nobody->id) &&
    (!$Transaction->CreatorObj->Privileged)
   )
{
    my $user = RT::User->new($RT::SystemUser);
    $user->Load($Transaction->CreatorObj->Id);
    my ($stat, $pass) = $user->SetRandomPassword();

    if (!$stat) {
            $OUT .=
       "An internal error has occurred. RT was not able to set a password

for you.
Please contact your local RT administrator for assistance.";

    }
$out .= "

Greetings:

Your password has been RESET as you requested. Please do not reply to this
message or to this email address unless you want your password reset again.

If you have other issue and need to contact SYSADMIN.

Here is your password:

    Username: ".$user->Name."
    Password: ".$pass."

Thank you,
";
}
}
--------------------------End Scrips-------------------------

Hammad

Todd_Chapman · October 18, 2004, 9:46pm

Probably $out never goes out of of scope. Also you have
$out and $OUT, which are two different variables.

I bet of you change every instance of ‘.=’ to ‘=’ and
restart your web server everything will be fine.

-ToddOn Mon, Oct 18, 2004 at 05:43:40PM -0400, Hammad wrote:

Guys:

I have the following ‘scrips’ to get executed in “reset password” queue upon
creation of a new ticket, I was using RT 3.2.2. Here’s the problem: Everytime
an un-privileged user resets his password, he gets an email back with his
password and the password for few other un-privileged users.(Huge Security
problem) Its Random, sometime he only gets his password and sometimes email has
few more usersname added to it. Help on this will be appreciated. BTW: this use
to work with RT 3.0.10

-----------------Scrips----------------------------
Subject: Your Password has been Reset

{*RT::User::GenerateRandomNextChar = &RT::User::_GenerateRandomNextChar;
if (($Transaction->CreatorObj->id != $RT::Nobody->id) &&
    (!$Transaction->CreatorObj->Privileged)
   )
{
    my $user = RT::User->new($RT::SystemUser);
    $user->Load($Transaction->CreatorObj->Id);
    my ($stat, $pass) = $user->SetRandomPassword();

    if (!$stat) {
            $OUT .=
       "An internal error has occurred. RT was not able to set a password
for you.
Please contact your local RT administrator for assistance.";
    }
$out .= "
Greetings:

Your password has been RESET as you requested. Please do not reply to this
message or to this email address unless you want your password reset again.

If you have other issue and need to contact SYSADMIN.

Here is your password:
    Username: ".$user->Name."
    Password: ".$pass."
Thank you,
";
}
}
--------------------------End Scrips-------------------------

Hammad

The rt-users Archives

Be sure to check out the RT wiki at http://wiki.bestpractical.com