View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006009 | mantisbt | security | public | 2005-07-25 08:50 | 2016-11-18 05:29 |
Reporter | w_moroz | Assigned To | cproensa | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 1.3.0-rc.2 | Fixed in Version | 1.3.0-rc.2 | ||
Summary | 0006009: Cannot change password in second enter to verification page | ||||
Description | hi my users reports me this as bug. When i change password for certain user, he receives an email with link to page where he can change his password. Some of users don't do this. They only click the link, and some time later click this link once again to change password. The link is innactive, because there is an md5 from login+pass+lastEnter. So, if he doesn't change his pass for the first time, i have to send him reminder once again. I think better would be to make this link innactive after changing pass, not only enter the page. Is a simple way to do this? thanks in advance Wojciech Moroz | ||||
Tags | No tags attached. | ||||
related to | 0006464 | closed | cproensa | User Sign-up problem |
has duplicate | 0021929 | closed | cproensa | User Verification Link is being consumed before use |
related to | 0020686 | closed | cproensa | Make sure new users complete the registration process |
related to | 0020816 | closed | dregad | user verification / password reset allows setting of empty password |
child of | 0004181 | closed | Features in Mantis 1.1 release |
This has been improved in 1.0.0rc1, but not to the full extent you are recommending. The confirmation URL remails valid until the user leaves the password change page, but a check is not made to see if the password is updated. |
|
yes, that's true. Some of my users at first time only enters the password change page to check if thats really works and do not change pass. Do you have any idea to make such change to make this link invalid only after changing password? |
|
Changing the current scheme as you suggest would be difficult due to the way the code is partitioned. We can look at refining this in the next release. |
|
MantisBT: master d7b8d33e 2016-05-14 08:26 Details Diff |
Manage the password reset hash as a token Refactor verify.php to be a not-logged-in page (like login_page.php), so the only action the user can do is change the password, and not navigate into the site. If the user does not change the password and quits the page, the activation token remains valid until the change is effectively done (or the token times out) Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735 Note: I reworded and reformatted some of the original commit messages. |
Affected Issues 0006009, 0020686 |
|
mod - account_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - lost_pwd.php | Diff File | ||
mod - verify.php | Diff File |