[sakai2-tcc] Change reset password to have it send links rather than reset
Steve Swinsburg
steve.swinsburg at gmail.com
Wed Apr 4 19:37:07 PDT 2012
Hi,
This has just come up on list and I think it is worthy of discussion. The Reset Password tool is installed by default in trunk, and its current behaviour is to reset a user's password and email it to them. This is problematic since all you need is a user's email address and you can continually reset their password and essentially DoS them.
I think we should change it so it sends the link and then they need to follow it to reset it. Then no one can reset a password without the owner's intervention.
It's a property change:
# If set to false then password reset users get sent a new email, otherwise they get a link to allow
# them to reset their password. This prevents people from changing password they don't own.
siteManage.validateNewUsers=true
cheers,
Steve
More information about the sakai2-tcc
mailing list