Feature #25253
closedPassword reset should count as a password change for User#must_change_passwd
0%
Description
Currently resetting the password through the "forgotten password" feature will not also reset the "must change password" attribute for users. This means users will sometimes reset their password and have to change their password again just after that when logging in.
The following patch would enforce the password change and reset the "must change password" attribute for users. This can not be used for a brute force attack on a user's password as that would require to know a user's password reset token, and if an attacker gets to know a user's password reset token he wouldn't need to brute force the password as he can set it to another password known to him.
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 54a29fbf4..0aac5c1eb 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -80,7 +80,11 @@ class AccountController < ApplicationController
return
end
if request.post?
+ if @user.must_change_passwd? && @user.check_password?(params[:new_password])
+ flash.now[:error] = l(:notice_new_password_must_be_different)
+ else
@user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
+ @user.must_change_passwd = false
if @user.save
@token.destroy
Mailer.password_updated(@user)
@@ -88,6 +92,7 @@ class AccountController < ApplicationController
redirect_to signin_path
return
end
+ end
end
render :template => "account/password_recovery"
return
Another possibility would also be to only reset the "must change password" attribute of the user if the password given during the password reset is not the same as the "previous"/current password, thus requiring the user to change his/her password if the password given during the password reset did not effectively change the password, but I think I like enforcing the password change on password reset better.
Updated by Jean-Philippe Lang over 7 years ago
- Category set to Accounts / authentication
- Target version set to 3.4.0
Updated by Jean-Philippe Lang over 7 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
The first solution sounds good to me. It's committed with tests, thanks.