[sakai2-tcc] Change reset password to have it send links rather than reset
Steve Swinsburg
steve.swinsburg at gmail.com
Wed Apr 4 19:45:40 PDT 2012
Cool, well here is a Jira for it, marked as security issue since I mention the DoS thing. Though this list is public. Take that off if need be.
https://jira.sakaiproject.org/browse/SAK-22014
Will let it sit for a bit to get more feedback here.
cheers,
S
On 05/04/2012, at 12:39 PM, Aaron Zeckoski wrote:
> I would tend to agree and I think this is a change we should make in
> 2.9 and document in the release notes.
>
> -AZ
>
>
> On Wed, Apr 4, 2012 at 10:37 PM, Steve Swinsburg
> <steve.swinsburg at gmail.com> wrote:
>> Hi,
>>
>> This has just come up on list and I think it is worthy of discussion. The Reset Password tool is installed by default in trunk, and its current behaviour is to reset a user's password and email it to them. This is problematic since all you need is a user's email address and you can continually reset their password and essentially DoS them.
>>
>> I think we should change it so it sends the link and then they need to follow it to reset it. Then no one can reset a password without the owner's intervention.
>>
>> It's a property change:
>>
>> # If set to false then password reset users get sent a new email, otherwise they get a link to allow
>> # them to reset their password. This prevents people from changing password they don't own.
>> siteManage.validateNewUsers=true
>>
>> cheers,
>> Steve
>>
>> _______________________________________________
>> sakai2-tcc mailing list
>> sakai2-tcc at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
>
>
>
> --
> Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile
More information about the sakai2-tcc
mailing list