Tickets :: [#10430] Forgot Password dialog presents empty security question if none is set

6.0.0-git

2019-03-18

Summary	Forgot Password dialog presents empty security question if none is set
Queue	Horde Base
Queue Version	Git master
Type	Bug
State	Resolved
Priority	1. Low
Owners
Requester	lang (at) b1-systems (dot) de
Created	2011-08-16 (2771 days ago)
Due
Updated	2011-08-17 (2770 days ago)
Assigned
Resolved	2011-08-17 (2770 days ago)
Milestone
Patch	No

2011-08-17 14:43:38	Ralf Lang (B1 Systems GmbH)	Comment #6 State ⇒ Resolved	Reply to this comment
It was decided that skipping security question is unsafe. Users now get a warning if no security question is set when they try to reset their password.

2011-08-17 14:41:50	Git Commit	Comment #5	Reply to this comment
Changes have been made in Git for this ticket: [rla] Reset password dialog shows a warning when no security question is set ~~#10430~~ 3 files changed, 7 insertions(+), 2 deletions(-) http://git.horde.org/horde-git/-/commit/c05dbf0330f21de8d6ffad6098ba7af3db85ba11

2011-08-16 15:02:10	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git for this ticket: Revert "[rla] Don't present security question dialog if none is set ~~#10430~~" This is contested on <dev@> and wrong branch anyway This reverts commit 84e8bd5b011c31ba6b071864f65c989b3acae1f3. This reverts commit 98e7ed658b56dbbdaafcf321b459652a8cd75ef2. 3 files changed, 7 insertions(+), 11 deletions(-) http://git.horde.org/horde-git/-/commit/14b5e0749000e0d5740a93e816c1e212e99390dc

2011-08-16 14:19:11	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git for this ticket: [rla] Don't present security question dialog if none is set ~~#10430~~ 2 files changed, 3 insertions(+), 2 deletions(-) http://git.horde.org/horde-git/-/commit/84e8bd5b011c31ba6b071864f65c989b3acae1f3

2011-08-16 14:19:03	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git for this ticket: [rla] Don't present security question dialog if none is set ~~#10430~~ 1 files changed, 8 insertions(+), 5 deletions(-) http://git.horde.org/horde-git/-/commit/98e7ed658b56dbbdaafcf321b459652a8cd75ef2

2011-08-16 10:52:36	Ralf Lang (B1 Systems GmbH)	Comment #1 Type ⇒ Bug State ⇒ Unconfirmed Priority ⇒ 1. Low Summary ⇒ Forgot Password dialog presents empty security question if none is set Queue ⇒ Horde Base Milestone ⇒ Patch ⇒ No	Reply to this comment
HOW TO REPRODUCE: A user enters an alternate_email but no security question/answer. He logs out and clicks "Forgot password". He provides username and alternate email. EFFECT: He is presented an empty security question and an answer field which does not accept any input (empty line complains about "required", any input would not match backend content. EXPECTED BEHAVIOUR: Either do not present security question if none is set or forbid reset self service if none is set. I would go for the former though there is a slight potential of DoS in setups where alternate_email is auto-set/required. ACTION: I would patch that according to "do not present security question if none is set ". Please post any disagreements.