6.0.0-git
2019-03-18

[#10430] Forgot Password dialog presents empty security question if none is set
Summary Forgot Password dialog presents empty security question if none is set
Queue Horde Base
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners
Requester lang (at) b1-systems (dot) de
Created 2011-08-16 (2771 days ago)
Due
Updated 2011-08-17 (2770 days ago)
Assigned
Resolved 2011-08-17 (2770 days ago)
Milestone
Patch No

History
2011-08-17 14:43:38 Ralf Lang (B1 Systems GmbH) Comment #6
State ⇒ Resolved
Reply to this comment
It was decided that skipping security question is unsafe.
Users now get a warning if no security question is set when they try 
to reset their password.
2011-08-17 14:41:50 Git Commit Comment #5 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Reset password dialog shows a warning when no security question 
is set #10430

  3 files changed, 7 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/c05dbf0330f21de8d6ffad6098ba7af3db85ba11
2011-08-16 15:02:10 Git Commit Comment #4 Reply to this comment
Changes have been made in Git for this ticket:

Revert "[rla] Don't present security question dialog if none is set 
#10430" This is contested on <dev@> and wrong branch anyway This 
reverts commit 84e8bd5b011c31ba6b071864f65c989b3acae1f3. This reverts 
commit 98e7ed658b56dbbdaafcf321b459652a8cd75ef2.

  3 files changed, 7 insertions(+), 11 deletions(-)
http://git.horde.org/horde-git/-/commit/14b5e0749000e0d5740a93e816c1e212e99390dc
2011-08-16 14:19:11 Git Commit Comment #3 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Don't present security question dialog if none is set #10430

  2 files changed, 3 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/84e8bd5b011c31ba6b071864f65c989b3acae1f3
2011-08-16 14:19:03 Git Commit Comment #2 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Don't present security question dialog if none is set #10430

  1 files changed, 8 insertions(+), 5 deletions(-)
http://git.horde.org/horde-git/-/commit/98e7ed658b56dbbdaafcf321b459652a8cd75ef2
2011-08-16 10:52:36 Ralf Lang (B1 Systems GmbH) Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ Forgot Password dialog presents empty security question if none is set
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
Reply to this comment
HOW TO REPRODUCE:
A user enters an alternate_email but no security question/answer.
He logs out and clicks "Forgot password".
He provides username and alternate email.

EFFECT:
He is presented an empty security question and an answer field which 
does not accept any input (empty line complains about "required", any 
input would not match backend content.

EXPECTED BEHAVIOUR:

Either do not present security question if none is set or forbid reset 
self service if none is set. I would go for the former though there is 
a slight potential of DoS in setups where alternate_email is 
auto-set/required.

ACTION:

I would patch that according to "do not present security question if 
none is set ".
Please post any disagreements.

Saved Queries