Issue with LastPass auto-fill on User permission pages' password prompt

[proimage]

Description

I use LastPass to manage my passwords, and have the LastPass addon installed in Chrome. What it does is look for username and password fields on the current page, and offer to fill them.

This is great, except for when that password field has no relation to the username field. O.O

When editing a user's permissions and clicking "Save", Craft wisely pops-up a modal box asking for the currently logged-in user's password. This means that on the same page, we have both a username field (the user being edited), and a completely unrelated password field ("me", aka. the currently logged-in user).

So when I then use LastPass to fill out the password field, it also "helpfully" fills out the user's username field with my username. Trying to submit from that state, thankfully, always results in an error about the username already being taken.

The simplest solution I can think of would be to enhance what Craft does when modal windows are shown, and mark all other fields not in the modal as readonly. I think that should fix it.

Steps to reproduce

1. Install Chrome's LastPass addon.
2. Store your Craft username and password using LastPass
3. In the backend, edit the permissions of some other user.
4. Click "Save".
5. Use the LastPass addon's password field widget to autofill your password.
6. Click "Submit"

Additional info

• Craft version: 3.5.15.1, but affects all 3.x versions AFAIK

[brandonkelly]

According to this Manage Your Form Fills KB article, LastPass will avoid autofilling any fields with a data-lpignore="true" attribute, so I’ve just added that to the Username, First/Last Name, Email, and New Password inputs.

Would appreciate if you could test it out. Change your craftcms/cms requirement in composer.json to dev-develop and then run composer update. Then check to see if LastPass is properly ignoring those fields.

[proimage]

Hey BK, appreciate the quick response. I was trying to test this out yesterday but ran into a perfect storm of problems. I hope to be able to resolve them soon.

[proimage]

Ok, finally managed to get this tested. It does prevent the username from inadvertently getting changed, but it also prevents auto-generation of a new password for the current user.

LastPass does both password generation and autofill of saved username/email & password values. The password generation is certainly valuable and shouldn't be prevented. To date, the only time I've run into a problem has been when editing some other user's account in a way that triggers a prompt for my password. So, in the interest of not fixing what ain't broke, I'd suggest preventing LP autofill on other users' fields only, not from the current user.

[brandonkelly]

Alright, just made that change. Run composer update again to pull it in.

[proimage]

Looks perfect!

I've never used any of the other password managers like 1password or KeePass or whatever others there are, but it might be worth implementing the same precautions for them as well.

[brandonkelly]

We’ve done what we can for 1Password, although unfortunately they don’t support an explicit data attribute like LP does, so it goes in and out of working depending on the 1P version. (#5365)

[brandonkelly]

Craft 3.5.17 is out now with the LastPass improvement.