Details
-
Bug
-
Resolution: Fixed
-
Medium
-
1.13.0
-
None
-
None
Description
eZ Platform v1.12.0 increased password hash length that improves security by allowing longer hashes to be stored in the database. This requires a modification to the database schema to allow longer hashes: https://github.com/ezsystems/ezpublish-kernel/blob/v6.13.0/data/update/mysql/dbupdate-6.11.0-to-6.12.0.sql
Since v1.13.0 old style passwords are automatically updated on the first login to the new format. If you have forgotten to apply the database change, the first login happens - but the stored hash is not complete. There is no error message in the UI.
This can be confusing to figure out as the login works on the first time a user logs in after an upgrade, but not on future logins.
NOTE: This issue only occurs if the upgrade is not done correctly. The correct procedure is documented in the upgrade guide: https://doc.ezplatform.com/en/2.0/releases/updating_ez_platform/
Steps to reproduce:
- Install eZ Platform v1.11
- Upgrade installation to v1.13 WITHOUT DB UPDATE (dbupdate-6.11.0-to-6.12.0.sql)
- Log in to admin
- Log out of admin
- Log in to admin
Result: Login fails, because a shortened (broken) hash is stored in the DB.
Expected: Login should either always fail in this situation, or always work. Password hashes should not be saved in broken state.
The proposed PR is to always fail, and log the error.