[sakai2-tcc] Change reset password to have it send links rather than reset
David Horwitz
david.horwitz at uct.ac.za
Wed Apr 4 23:46:28 PDT 2012
+1 though as a note it does mean placing reset pass on the gateway so
that it is enabled by default ...
D
On 04/05/2012 04:39 AM, Aaron Zeckoski wrote:
> I would tend to agree and I think this is a change we should make in
> 2.9 and document in the release notes.
>
> -AZ
>
>
> On Wed, Apr 4, 2012 at 10:37 PM, Steve Swinsburg
> <steve.swinsburg at gmail.com> wrote:
>> Hi,
>>
>> This has just come up on list and I think it is worthy of discussion. The Reset Password tool is installed by default in trunk, and its current behaviour is to reset a user's password and email it to them. This is problematic since all you need is a user's email address and you can continually reset their password and essentially DoS them.
>>
>> I think we should change it so it sends the link and then they need to follow it to reset it. Then no one can reset a password without the owner's intervention.
>>
>> It's a property change:
>>
>> # If set to false then password reset users get sent a new email, otherwise they get a link to allow
>> # them to reset their password. This prevents people from changing password they don't own.
>> siteManage.validateNewUsers=true
>>
>> cheers,
>> Steve
>>
>> _______________________________________________
>> sakai2-tcc mailing list
>> sakai2-tcc at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
>
>
More information about the sakai2-tcc
mailing list