When you have the autocomplete option enabled in Google Chrome and you edit a user profile, the 'E-MAIL ADDRESS' and 'NEW PASSWORD' fields are both prefilled. So Drupal thinks you want to change your password and throws an error: "Your current password is missing or incorrect; it's required to change the Password."
So you have to manually empty the 'NEW PASSWORD' field if you don't want to change your password. We can disable the autocompletion of this field using HTML attributes 'autocomplete=off'. That was already done for the existing password field but not for the new one.
I'll submit a patch in a minute.
Comment | File | Size | Author |
---|---|---|---|
#8 | disable_user_edit_autocomplete-1525640-8.patch | 1.31 KB | jeff.maes |
#3 | disable_user_edit_autocomplete-1525640-3.patch | 1.38 KB | jeff.maes |
#1 | disable_user_edit_autocomplete-1525640-1.patch | 1.31 KB | jeff.maes |
Comments
Comment #1
jeff.maes CreditAttribution: jeff.maes commentedComment #2
attiks CreditAttribution: attiks commentedNeeds to be fixed for Drupal 8 first
spacing error
Comment #3
jeff.maes CreditAttribution: jeff.maes commentedThis version is for Drupal 8
Comment #4
jeff.maes CreditAttribution: jeff.maes commentedComment #5
attiks CreditAttribution: attiks commentedPatch is looking good and reason is good.
Comment #7
catchMakes sense to me. Committed/pushed to 8.x, moving to 7.x for backport.
Comment #8
jeff.maes CreditAttribution: jeff.maes commentedThanks for committing my patch. I've re-attached the D7 version (without the spacing error this time).
Comment #9
attiks CreditAttribution: attiks commentedAssuming testbot will approve the patch, this is looking good.
Comment #10
chx CreditAttribution: chx commentedI get it why we dont want autofill on password, yes but why the username? Neither the issue title nor the summary tells me.
Comment #11
attiks CreditAttribution: attiks commentedIf I understand correctly username is a problem if you create a new user, it gets filled with your own username, but you're right summary talks about email and new password, patch is indeed about email and username.
@jeff.maes can you clarify and change the summary?
Comment #12
jeff.maes CreditAttribution: jeff.maes commentedA little more explanation:
When you actually change your password on the user/*/edit page, Chrome asks if you would like to update your existing password for that website. When you select 'Yes', it saves the combination of the e-mailaddress/password instead of username/password. That results in the autocompletion of the e-mailaddress/password on the user/*/edit page. So that's the reason why I added automplete=off on both fields.
Today, I did some retesting on the latest DEV and still had the autocomplete issues... After updating my Chrome browser to the latest version (19), all the autocomplete issues were gone.
So, what do you think? Do we need to explicitly mention the browsers to skip the autocompletion and include this patch? Or is this the complete responsibility of the browser?
Comment #13
David_Rothstein CreditAttribution: David_Rothstein commentedYeah, something seems wrong here - the patch does look like it changed username/e-mail only but didn't touch any of the password fields (contrary to the issue title). I really can't see why we would prevent autocomplete on anything but a password field.
Related issue: #787876: Edit "My Account" fills the first password field
Comment #14
sunThe username/email mismatch is a separate problem that exists for a long time already. I just created an issue to fix that:
#2191785: Password managers are identifying/storing wrong username field when creating a user account
After noticing that in D8, my browser does not ask me to store my credentials at all anymore, I pickaxed the git log and found this issue.
The 'autocomplete=off' attribute seems to have been added to too many form elements here. Or perhaps more specifically, the changes were not limited to the case/condition of actually editing your own & existing user account.
As a result, the browser's autocompletion (+ password manager) is completely turned off for all incarnations of the user account form; i.e., in the registration form, the administrative user account creation form, the administrative edit form, and also the edit form.
Unless I misunderstood the purpose of this issue, the attribute should only have been added for the case of editing the own user account...
However, given the original topic starter, the committed change might have been unnecessary — the originally reported username/email autofilling mismatch is exactly what is being fixed in #2191785: Password managers are identifying/storing wrong username field when creating a user account
In light of that, I'm not sure whether we shouldn't roll back the patch in #3?
Comment #15
claudiu.cristeaThis is related #2219443: Autocomplete in Safari 7 overwrites email address on user profile edit form.
Comment #16
mgifford@sun, your patch https://drupal.org/files/issues/user.form_.22.patch addresses the username, but not the email.
@David_Rothstein - the password field doesn't autocomplete anyways. Least not on my quick mobile testing. If this is happening in some smart phones then we should look at explicitly. I don't think it's a problem anywhere other than the username/email fields.
Comment #17
sunThe revised/final patch in #2191785-25: Password managers are identifying/storing wrong username field when creating a user account now contains proper test coverage for this issue.
Comment #18
mgiffordWith this:
I see no reason not to roll back the patch in #3.
Comment #19
sunHm. The situation is a bit hairy. Technically, we could roll back the patch in #3 and redo it from scratch including tests, additionally accounting for the Safari issue in #15...
However, that would break #2191785: Password managers are identifying/storing wrong username field when creating a user account (which essentially reverts + re-implements already), so I'd personally prefer to simply move forward with that instead, and leave this issue for a possible backport only.
Comment #33
pameeela CreditAttribution: pameeela commentedSo confusing!! The patch in #3 was committed and Fixed in 2012, and subsequently re-opened much later to discuss reverting. This didn't happen and there has not been any discussion in many years so I'm going to re-mark this Needs work and bump to 7.x for backport.