Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, ccruz, deshani, and 11 others

Git Merge Request #12: [#7786] Invalidate pwd reset tokens after email/password change (merged)

Merging...

Merged

Something went wrong. Please, merge manually

Checking if merge is possible...

Something went wrong. Please, merge manually

Heith Seewald wants to merge 0 commits from /u/heiths/hsallura/ to master, 2015-02-19

Determining commits...

Discussion

Dave Brondsema - 2015-02-11

The main password reset form on /auth/preferences (different a forced change due to password expired) needs to reset the token.

Also I think deleting an email address should clear the reset token, not only for adding a new address. (E.g. if you have multiple addresses recorded already and just remove a compromised one).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-02-16

Good point. I updated hs/7786 with those changes.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-02-16

Good point. I updated hs/7786 with those changes.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-02-16

Getting there. It still doesn't get cleared out after a regular password change on /auth/preferences/.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heith Seewald - 2015-02-17

Got it :)

I also wrote a test for resetting passwords via /auth/preferences.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-02-19

Status: open --> merged
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.