[#25173] - Backend User Management Issue when autofill tools are used
- Closed
- 11 Jun 2019
- Low
- Build: 3.9.6
- # 25173
More & more of us are using Password Managers & browser extensions to help us use these in daily life.
I have had several reports from some of my website administrators, that when they are editing users information in the Back End > Manage Users the user's information is prepopulated with there own name, username, emails, etc. Causing problems when the admin is trying to change a user group or other user related information.
I see the problem as the name, username, email and password fields in the BackEnd User Profile page are encoded either the same way as a login page, or they meet the criteria that some password managers and browser autofill tools look for in trying to identify a login form.
Can these be modified so that when the page is rendered, Password Management & other autofill tools do not think they are login forms?
Steps to reproduce the issue
With Auto Fill enabled within the browser or Password Manager goto a Joomla! sites Back End > Users > Manage
Select a User other than yourself
You will see the users details are changed (AutoFilled) with your own.
Expected result
Access a user's details via Back End > Users > ManageS > User without having the information overwritten.
Actual result
You will see the users details are changed (AutoFilled) with your own.
System information (as much as possible)
Joomla 3.9.6
PHP7.2.x
Tested with Chrome, FF, Safari using LastPass, 1Password
Additional comments
Votes
| Title |
|
||||||
| Title |
|
||||||
| Labels |
Added:
J4 Issue
?
|
||
@franz-wohlkoenig to me it is a bug to be fixed in J3 as I am sure we have tried to do this before so it should not autofill
| Title |
|
||||||
| Labels |
Added:
J3 Issue
Removed: J4 Issue ? |
||
LastPass (i suppose 1password etc too) does provide settings on a per domain basis on whether to autofill fields or not so not an issue imo
@sandstorm871 what are they using ?
Now that I think about it the problem is most likely not something we can do anything about. There is an autocomplete=off setting we could add BUT chrome disables that.
@sandstorm871 what are they using?
I tested this myself with LastPass & 1Password, disabling autofill does stop this happening but also stops me from using my password manager to log into the site.
Admins I have spoken with are using similar password managers, however, one was not using a password manager, so they assumed it must have been a browser setting.
Personally, I think the backend view for editing a users information shouldn't allow any sort of autofill.
iirc at least Lastpass should allow you to use an url so you can still use on login url and not on user management url
Personally, I think the backend view for editing a users information shouldn't allow any sort of autofill.
tell that to the browsers https://caniuse.com/#search=autofill
The problem is if you disable autofill it's going to break the legitimate use cases, unless either the browser or the browser extension ignores that.
On a user profile edit page, it's really difficult to impossible to have the forms distinguish themselves as "I am editing my own account" versus "I am editing another person's account". Even if you start using more detailed autocomplete attribute values, it doesn't really fix the problem 100%. The autofill systems were designed for frontend use cases where a single user is doing stuff for themselves, they aren't suited for administrative interfaces.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-06-11 16:55:32 |
| Closed_By | ⇒ | joomla-cms-bot |
| Closed_Date | 2019-06-11 16:55:32 | ⇒ | 2019-06-11 16:55:33 |
| Closed_By | joomla-cms-bot | ⇒ | alikon |
| Labels | |||
Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/25173
Old thread but this is still an issue as we approach v4.
How about a checkbox on the backend form to indicate edit of another user? Perhaps autofill could be turned off when check=true?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25173.
New Features go in J4.