Umbraco-CMS icon indicating copy to clipboard operation
Umbraco-CMS copied to clipboard

Published 20 hours ago verified publisher icon umbraco

Trying to change member password results in 'Password cannot be changed without the old password' error

Open AsmusAB opened this issue 2 years ago • 1 comments

Which exact Umbraco version are you using? For example: 9.0.1 - don't just write v9

8.18.4

Bug summary

When trying to change the password of a member an error appears. "Password cannot be changed without the old password"

bug

Our MemberShipProvider is setup as follows: <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco.Web" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="true" />

Specifics

No response

Steps to reproduce

Choose a member and change their password

Expected result / actual result

No response

AsmusAB avatar Aug 09 '22 12:08 AsmusAB

Hi there @AsmusAB!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

  • We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
  • If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
  • We'll replicate the issue to ensure that the problem is as described.
  • We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

github-actions[bot] avatar Aug 09 '22 12:08 github-actions[bot]

I have the exact same issue in 8.18.4 after upgrading from 7.15.7

I have tried different combinations of enablePasswordReset and allowManuallyChangingPassword in the membership providers in the web.config without any luck.

It seems to only be affected if you specify the password (e.g. reset password checkbox unchecked). When ticking Reset Password tickbox instead of entering a password, it does successfully reset the password

The following video shows how the password reset works when checked, but does not work when manually entered Password reset does not work

dinc5150 avatar Aug 12 '22 02:08 dinc5150

While it's confusing UI, this is indeed how it's intended to work, the checkbox is there to reset the password without having to know the previous password. With that new password you could do a password reset on the frontend and set it to whatever you want it to be.

We're not planning to update this in v8 any more, but now you know how to get it to reset a password successfully and with that move on.

nul800sebastiaan avatar Aug 12 '22 13:08 nul800sebastiaan

So just to clarify, this will stay with the option to supply a new password, but will always though an error is used?

dinc5150 avatar Aug 12 '22 14:08 dinc5150

For others out there with the same issue, it has been fixed in #12306 and released in V8.15.5

dinc5150 avatar Aug 17 '22 10:08 dinc5150