Yes, there are two bugs: 1) line 72 of admin/controllers/default.py should be if not verify_password(request.vars.current_admin_password): instead of if verify_password(request.vars.current_admin_password):
2) line 54 of admin/models/access.py should be return _config['password'] == CRYPT()(password)[0] instead of return _config['password'] == CRYPT()(request.vars.password)[0] On Feb 18, 6:22 pm, Rowdy <[email protected]> wrote: > Greetings, > > Since upgrading 1.75.2 to 1.75.4, I have noticed some oddness with > changing the admin password. > > When I try to change the admin password, I get: > > Traceback (most recent call last): > File "/home/rowdy/web2py/gluon/restricted.py", line 173, in restricted > exec ccode in environment > File "/home/rowdy/web2py/applications/admin/controllers/default.py", > line 1046, in <module> > File "/home/rowdy/web2py/gluon/globals.py", line 96, in <lambda> > self._caller = lambda f: f() > File "/home/rowdy/web2py/applications/admin/controllers/default.py", > line 72, in change_password > if verify_password(request.vars.current_admin_password): > File "/home/rowdy/web2py/applications/admin/models/access.py", line > 54, in verify_password > return _config['password'] == CRYPT()(request.vars.password)[0] > File "/home/rowdy/web2py/gluon/validators.py", line 2267, in __call__ > return (hash(value, self.digest_alg), None) > File "/home/rowdy/web2py/gluon/utils.py", line 32, in hash > h.update(text) > TypeError: update() argument 1 must be string or read-only buffer, not None > > There might be a typo in admin/models/access.py in function > verify_password(). The line near the end (line 54 from the above stack > trace): > > return _config['password'] == CRYPT()(request.vars.password)[0] > > should probably be: > > return _config['password'] == CRYPT()(password)[0] > > as password is passed as a parameter to this function. > > However, after changing this line, when I try to change the admin > password it does not matter what I type as the old password, even a > random string of characters. As long as the new passwords match and are > strong, the admin password is changed. > > Rowdy -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
