Forum OpenACS Development: ACS Authentication: Letting any anonymous user reset any system user's password is trouble

Back to OpenACS Development

1: ACS Authentication: Letting any anonymous user reset any system user's password is trouble

Posted by Eduardo Pérez on 06/01/06 11:45 AM

I have submitted this bug report with an attached patch:
https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=2920

Could you take a look about the issue and the patch?
Do you think that anonymous password reset should be removed to prevent any inconveniences to OpenACS users?

2: Re: ACS Authentication: Letting any anonymous user reset any system user's password is trouble (response to 1)

Posted by Eduardo Pérez on 09/27/06 03:39 PM

I have upgraded the attached patch following Rocael's comments.

Could some people that know about acs-authentication review the patch?

I think this is a really good enhancement over the inconvenient reset password.

3: Re: ACS Authentication: Letting any anonymous user reset any system user's password is trouble (response to 2)

Posted by Malte Sussdorff on 06/03/07 11:47 AM

It would be more perfect if you would actually send to the email address of the user and not to the username. This breaks all sites which actually work with the username that is not the email 😊. Fixed.

Back to OpenACS Development