Summary | Forgot Password dialog presents empty security question if none is set |
Queue | Horde Base |
Queue Version | Git master |
Type | Bug |
State | Resolved |
Priority | 1. Low |
Owners | |
Requester | ralf.lang (at) ralf-lang (dot) de |
Created | 08/16/2011 (5073 days ago) |
Due | |
Updated | 08/17/2011 (5072 days ago) |
Assigned | |
Resolved | 08/17/2011 (5072 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
State ⇒ Resolved
Users now get a warning if no security question is set when they try
to reset their password.
[rla] Reset password dialog shows a warning when no security question
is set
#104303 files changed, 7 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/c05dbf0330f21de8d6ffad6098ba7af3db85ba11
Revert "[rla] Don't present security question dialog if none is set
#10430" This is contested on <dev@> and wrong branch anyway Thisreverts commit 84e8bd5b011c31ba6b071864f65c989b3acae1f3. This reverts
commit 98e7ed658b56dbbdaafcf321b459652a8cd75ef2.
3 files changed, 7 insertions(+), 11 deletions(-)
http://git.horde.org/horde-git/-/commit/14b5e0749000e0d5740a93e816c1e212e99390dc
[rla] Don't present security question dialog if none is set
#104302 files changed, 3 insertions(+), 2 deletions(-)
http://git.horde.org/horde-git/-/commit/84e8bd5b011c31ba6b071864f65c989b3acae1f3
[rla] Don't present security question dialog if none is set
#104301 files changed, 8 insertions(+), 5 deletions(-)
http://git.horde.org/horde-git/-/commit/98e7ed658b56dbbdaafcf321b459652a8cd75ef2
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ Forgot Password dialog presents empty security question if none is set
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
A user enters an alternate_email but no security question/answer.
He logs out and clicks "Forgot password".
He provides username and alternate email.
EFFECT:
He is presented an empty security question and an answer field which
does not accept any input (empty line complains about "required", any
input would not match backend content.
EXPECTED BEHAVIOUR:
Either do not present security question if none is set or forbid reset
self service if none is set. I would go for the former though there is
a slight potential of DoS in setups where alternate_email is
auto-set/required.
ACTION:
I would patch that according to "do not present security question if
none is set ".
Please post any disagreements.