wrong username filled in when editing a user

Are you sure that this is not a browser problem?
Mozilla does this for example.

This is almost certainly a bug in Mozilla (http://bugzilla.mozilla.org/show_bug.cgi?id=112260). It's very, very annoying. You'll notice if you view the HTML source for the page that the correct username is displayed in the text box, but that Mozilla overwrites it with its own one. Grrr.

The only way to prevent this from happening is by clearing out Mozilla's Password Manager.

I *can* cook up a patch for this, but it won't validate against HTML 4.2/XHTML1.1 Transitional, and it won't make any difference if your site's already in the password manager (it would stop it from being added in the first place). Would people be interested in this?

We should not patch around broken browsers.
Won't fix.

On 21/05/2003 23:39, Al Maw wrote:

> I *can* cook up a patch for this, but it won't validate against HTML
> 4.2/XHTML1.1 Transitional, and it won't make any difference if your
> site's already in the password manager (it would stop it from being
> added in the first place). Would people be interested in this?

Please find attached.

I would like to see Al's patch applied (see his Sandbox). It adds one harmless attribute to a few input tags. This aids usability for all Mozilla users. Mozilla and Drupal projects do certainly overlap a lot. This is perceived as a Drupal bug anyway as can be seen by the frequency of duplicate bug reports for this issue.

Although I admire the standpoint of "we won't work around browser bugs", the sad fact is that we have to all the time. For example, if there weren't any browser bugs, designing web sites using CSS would be a trivial task. If you want to put pressure on the Mozilla developers to fix this, go visit http://bugzilla.mozilla.org/show_bug.cgi?id=112260 and vote for it. This patch doesn't break anything else, therefore I think it's perfectly valid.

I'm not too impressed when someone marks a bug as WONTFIX and isn't even logged in. I suggest 'Anonymous' lookup the word 'zeolot' in the dictionary. Or just go to this link.

It sounds like 'Anonymous' is a supporter of open source software. Now consider the poor Admin who is trying to use Drupal, but getting frustrated with this bug. He wants to Do the Right Thing and stick with Mozilla, but IE just works better in this case. Why not spare these users some headache? You seem unwilling to make our software "unpure".

Zeolotry is one of the least welcome aspects of open source software IMO. I love to share and colloboratively build great applications, not admire how pure my solution is. When you take a user-centric viewpoint, this patch is an obvious win.

MISC
- if it were easy to fix Mozilla, someone would have already. Clearly that would be the rpeferable. Once a well behaved Mozilla is released, we should remove our workaround.
- I marked this request as Status=Active and Priority=Minor

I was going to apply Al's patch to make everyone happy but it looks like his patch is rather "aggressive"; it adds 12 instances of autocomplete="no". I think some of these are redundant.

Unfortunately, you have to be very agressive. Having said that, you possibly don't need the last four chunks of the patch, when you're editing roles.

The user module has quite a few login prompts. You can't afford to have it store any info.
After some more testing, I've discovered that this patch will also break Internet Explorer's ability to remember passwords and automagically fill them in (I don't mean automatic cookie logins, I mean when you type a username and it fills the password for you). This is probably a Good Thing anyway.

Comment: if I understand what is going on correctly, it appears that fixing Mozilla's auto fill-in reduces the number of mistakes and hassle an admin would go through. It has no effect on security.

On the other hand, breaking MSIE's password auto fill-in improves security, i.e. MSIE's feature is a security weakness.

-1.

MSIE's feature (Safari's in my case) can be a security advantage. If I did not have this feature, there is no way I could keep track of the fifty or so site passwords I use each day. I would end up setting them to the same string, which is clearly a Bad Thing. One malevolent site could use the information to gain access to my account on other sites. Access to these sites is still controlled by the login password to my computer. We should not intentionally subvert features (even misfeatures) of browsers, quite possibly against the wishes of the user.

That said, if this is a necessary step to take, it may be acceptable fallout.

So far there doesn't seem to be a perfect solution, and those affected by this can modify their site.

Renaming the fields seems to be the only way (password manager will fill in fields already saved, even when autocomplete="off" set on the input field and/or on the form element itself)

How do you manage to rename the field without impact the rest of the functions and data structures ?