6.0.0-beta1
7/6/25

[#10430] Forgot Password dialog presents empty security question if none is set
Summary Forgot Password dialog presents empty security question if none is set
Queue Horde Base
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners
Requester ralf.lang (at) ralf-lang (dot) de
Created 08/16/2011 (5073 days ago)
Due
Updated 08/17/2011 (5072 days ago)
Assigned
Resolved 08/17/2011 (5072 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
08/17/2011 02:43:38 PM Ralf Lang Comment #6
State ⇒ Resolved
Reply to this comment
It was decided that skipping security question is unsafe.
Users now get a warning if no security question is set when they try 
to reset their password.
08/17/2011 02:41:50 PM Git Commit Comment #5 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Reset password dialog shows a warning when no security question 
is set #10430

  3 files changed, 7 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/c05dbf0330f21de8d6ffad6098ba7af3db85ba11
08/16/2011 03:02:10 PM Git Commit Comment #4 Reply to this comment
Changes have been made in Git for this ticket:

Revert "[rla] Don't present security question dialog if none is set 
#10430" This is contested on <dev@> and wrong branch anyway This 
reverts commit 84e8bd5b011c31ba6b071864f65c989b3acae1f3. This reverts 
commit 98e7ed658b56dbbdaafcf321b459652a8cd75ef2.

  3 files changed, 7 insertions(+), 11 deletions(-)
http://git.horde.org/horde-git/-/commit/14b5e0749000e0d5740a93e816c1e212e99390dc
08/16/2011 02:19:11 PM Git Commit Comment #3 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Don't present security question dialog if none is set #10430

  2 files changed, 3 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/84e8bd5b011c31ba6b071864f65c989b3acae1f3
08/16/2011 02:19:03 PM Git Commit Comment #2 Reply to this comment
Changes have been made in Git for this ticket:

[rla] Don't present security question dialog if none is set #10430

  1 files changed, 8 insertions(+), 5 deletions(-)
http://git.horde.org/horde-git/-/commit/98e7ed658b56dbbdaafcf321b459652a8cd75ef2
08/16/2011 10:52:36 AM Ralf Lang Comment #1
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ Forgot Password dialog presents empty security question if none is set
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
Reply to this comment
HOW TO REPRODUCE:
A user enters an alternate_email but no security question/answer.
He logs out and clicks "Forgot password".
He provides username and alternate email.

EFFECT:
He is presented an empty security question and an answer field which 
does not accept any input (empty line complains about "required", any 
input would not match backend content.

EXPECTED BEHAVIOUR:

Either do not present security question if none is set or forbid reset 
self service if none is set. I would go for the former though there is 
a slight potential of DoS in setups where alternate_email is 
auto-set/required.

ACTION:

I would patch that according to "do not present security question if 
none is set ".
Please post any disagreements.

Saved Queries