Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: guest22 on March 07, 2017, 02:18:43 PM

Title: [SOLVED] TAINTED_ACCOUNT error
Post by: guest22 on March 07, 2017, 02:18:43 PM
Hi,


new SME Server 9.1, passwordstrength Users set to none.


User tries to change his password (letters end numbers > 7) and get the error message 'TAINTED_ACCOUNT.


Anybody an idea what's wrong please?


TIA
Title: Re: TAINTED_ACCOUNT error
Post by: Stefano on March 07, 2017, 03:01:24 PM
Quote from: guest22 on March 07, 2017, 02:18:43 PM
Hi,


new SME Server 9.1, passwordstrength Users set to none.


User tries to change his password (letters end numbers > 7) and get the error message 'TAINTED_ACCOUNT.


Anybody an idea what's wrong please?


TIA

in /etc/e-smith/web/panels/password/cgi-bin/userpassword I read

Code: [Select]
unless (($acctName) = ($acctName =~ /^([a-z][\-\_\.a-z0-9]*)$/ ))
    {
        $q->param(-name => 'status_message', -value => 'TAINTED_ACCOUNT');
        return;
    }

so it seems that the username you're using is not correct
if you think this is wrong, please open a bug, thank you :-)
Title: [SOLVED] Re: TAINTED_ACCOUNT error
Post by: guest22 on March 07, 2017, 03:26:55 PM
Quote from: Stefano on March 07, 2017, 03:01:24 PM
Code: [Select]
unless (($acctName) = ($acctName =~ /^([a-z][\-\_\.a-z0-9]*)$/ ))
    {
        $q->param(-name => 'status_message', -value => 'TAINTED_ACCOUNT');
        return;
    }

The error was between the keyboard and the chair, user tried to use his email address to login.


So it seems there is a other bug in the way the user error is reported back cryptically instead of detecting the '@' sign and report, 'please use your username only', or we allow full email addresses too (which is common out there).


Thanks

Title: Re: TAINTED_ACCOUNT error
Post by: Stefano on March 07, 2017, 03:38:46 PM
Quote from: guest22 on March 07, 2017, 03:26:55 PM
The error was between the keyboard and the chair, user tried to use his email address to login.

You owe me 50€c, I bet on this :-)

Quote
So it seems there is a other bug in the way the user error is reported back cryptically instead of detecting the '@' sign and report, 'please use your username only',

I agree, error messages must be readable and understandable by final users
please open a NFR, thank you

Quote
or we allow full email addresses too (which is common out there).

quite useless, we're using real accounts and so having the @domain part would be useless..
I mean: we'd accept the email but we'd edit the code to consider just the username part.. moreover, often users have an email address which is just an alias..