[drupal-devel] [feature] Request New Password Security
neofactor
drupal-devel at drupal.org
Fri Mar 11 04:05:31 UTC 2005
Issue status update for http://drupal.org/node/18719
Project: Drupal
Version: 4.5.2
Component: user.module
Category: feature requests
Priority: critical
Assigned to: Anonymous
Reported by: neofactor
Updated by: neofactor
-Status: active
+Status: patch
I added some code to prevent the admin account from being reset...
Please add as a patch.
if ($account->uid == 1 {
unset($account);
form_set_error('name', t('Sorry. The username %name is not allowed to
be changed.', array('%name' => '<em>'. $edit['name'] .'</em>')));
}
// Just above this code on line 911:
if ($account) {
$from = variable_get('site_mail', ini_get('sendmail_from'));
$pass = user_password();
neofactor
Previous comments:
------------------------------------------------------------------------
March 10, 2005 - 21:52 : neofactor
Problem:
Any user can force another user's password to change... simply by
selecting "request new password" and putting in their username. The
user gets an email with the new.. but this feels like a violation to
the user... and a pain.
Solution?
If someone requests a new password... Don't blindly change it... send
an email that says...."Is this a real request authorized by you? Click
here to confirm otherwise disregard this message"
Please consider this critical for user by-in to Drupal as a secure
system.
I appreciate your consideration.
http://drupal.org/node/18689
More information about the drupal-devel
mailing list