[drupal-devel] [feature] Request New Password Security

neofactor drupal-devel at drupal.org
Fri Mar 11 04:05:31 UTC 2005


Issue status update for http://drupal.org/node/18719

 Project:      Drupal
 Version:      4.5.2
 Component:    user.module
 Category:     feature requests
 Priority:     critical
 Assigned to:  Anonymous
 Reported by:  neofactor
 Updated by:   neofactor
-Status:       active
+Status:       patch

I added some code to prevent the admin account from being reset...
Please add as a patch.
if ($account->uid == 1 {
unset($account);
form_set_error('name', t('Sorry. The username %name is not allowed to
be changed.', array('%name' => '<em>'. $edit['name'] .'</em>')));
}
// Just above this code on line 911:
if ($account) {
$from = variable_get('site_mail', ini_get('sendmail_from'));
$pass = user_password();


neofactor



Previous comments:
------------------------------------------------------------------------

March 10, 2005 - 21:52 : neofactor

Problem:
Any user can force another user's password to change... simply by
selecting "request new password" and putting in their username. The
user gets an email with the new.. but this feels like a violation to
the user... and a pain.
Solution?
If someone requests a new password... Don't blindly change it... send
an email that says...."Is this a real request authorized by you? Click
here to confirm otherwise disregard this message"
Please consider this critical for user by-in to Drupal as a secure
system.
I appreciate your consideration.
http://drupal.org/node/18689





More information about the drupal-devel mailing list