Password reset should count as a password change for User#must_change_passwd
|Assignee:||Jean-Philippe Lang||% Done:|
|Category:||Accounts / authentication|
Currently resetting the password through the "forgotten password" feature will not also reset the "must change password" attribute for users. This means users will sometimes reset their password and have to change their password again just after that when logging in.
The following patch would enforce the password change and reset the "must change password" attribute for users. This can not be used for a brute force attack on a user's password as that would require to know a user's password reset token, and if an attacker gets to know a user's password reset token he wouldn't need to brute force the password as he can set it to another password known to him.
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 54a29fbf4..0aac5c1eb 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -80,7 +80,11 @@ class AccountController < ApplicationController return end if request.post? + if @user.must_change_passwd? && @user.check_password?(params[:new_password]) + flash.now[:error] = l(:notice_new_password_must_be_different) + else @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] + @user.must_change_passwd = false if @user.save @token.destroy Mailer.password_updated(@user) @@ -88,6 +92,7 @@ class AccountController < ApplicationController redirect_to signin_path return end + end end render :template => "account/password_recovery" return
Another possibility would also be to only reset the "must change password" attribute of the user if the password given during the password reset is not the same as the "previous"/current password, thus requiring the user to change his/her password if the password given during the password reset did not effectively change the password, but I think I like enforcing the password change on password reset better.
Password reset should count as a password change for User#must_change_passwd (#25253).
Patch by Felix Schäfer.