View Issue Details

IDProjectCategoryView StatusLast Update
0020686mantisbtauthenticationpublic2016-11-18 05:29
ReportermonochromeAssigned Tocproensa 
PrioritylowSeverityminorReproducibilityalways
Status closedResolutionreopened 
Product Version1.3.0-rc.1 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0020686: Make sure new users complete the registration process
Description

The system allows new users to login to MantisBT without setting their password in the verification page.

Steps To Reproduce

1) After registering your username, click the verification link in your email.
2) Page will ask to register new password. Input new password but don't click on Update user yet.
3) Instead, click on My Account link.
4) Page will be redirected to requiring username and password.
5) Input password. Invalid username or password message appears.
6) Input a blank password. Invalid username or password message appears.

TagsNo tags attached.

Relationships

related to 0006009 closedcproensa Cannot change password in second enter to verification page 
has duplicate 0021929 closedcproensa User Verification Link is being consumed before use 

Activities

atrol

atrol

2016-03-13 17:56

developer   ~0052763

monochrome,

I was not able to reproduce your problem with a fresh install of the latest stable MantisBT release (1.2.19 at the moment).

If you are running an older version, I recommend that you upgrade to the latest (download from [1]). If after doing so the problem persists, do not hesitate to reopen the issue and provide detailed step-by-step instructions to reproduce the issue; the following additional information may also be useful:

  • Exact version of MantisBT, PHP, Database, Web server, Browser and Operating System
  • Relevant customizations (e.g. changes in config_inc.php, etc)
  • Installed plugins or custom functions ?
  • Was the MantisBT source code modified in any way ?

[1] http://mantisbt.org/download.php

cproensa

cproensa

2016-03-13 18:58

developer   ~0052764

@atrol
Original description is not very precise, but i think this is what is happening:

  • When the user cliks on a link for a new user activation, or for a password reset, the user is actually logged in the application, and can navigate to other pages like preferences, view bugs, etc
  • if the user logs out without setting the new password, no further log in is possible, because the actual password was not set and the activation link has been expired

I think the fix may be:

  • When the user open the link for activation/password reset, make that page a dedicated one, no other navigation should be possible.
  • Don't expire the activation token if the user didn't change the password.
atrol

atrol

2016-03-14 07:36

developer   ~0052765

@cproensa, I checked 1.2.x and was not able to reproduce the issue.
You are right in terms of what you described for 1.2.x.

  • if the user logs out without setting the new password, no further log in is possible, because the actual password was not set and the activation link has been expired

I think this is not the best solution but acceptable, as the user can use the "Forgot password" link.

Now I checked also 1.3 and I am able to reproduce the steps that @monochrome entered.

cproensa

cproensa

2016-03-14 07:49

developer   ~0052766

After seeing this issue, I now understand most of the complaints that i get from new users about not being able to enter mantis, probably the second time they tried.

User receives the new user email, opens the link, and starts browsing the site right away. They didn't read the email that says that they should set the new password, neither did they read the warnings on the account page.

That's why is suggest that the password reset page be a dedicated page, where the only thing you can do is that!

Requesting the "forgot password" functionality, on a non confirmed new account, may become unavailable if we implement some of the proposals for not sending mail to unconfirmed accounts (for spam concerns)

atrol

atrol

2016-03-14 15:31

developer   ~0052773

PR https://github.com/mantisbt/mantisbt/pull/735

Related Changesets

MantisBT: master d7b8d33e

2016-05-14 12:26:34

dregad

Details Diff
Manage the password reset hash as a token

Refactor verify.php to be a not-logged-in page (like login_page.php), so
the only action the user can do is change the password, and not navigate
into the site.

If the user does not change the password and quits the page, the
activation token remains valid until the change is effectively done (or
the token times out)

Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735

Note: I reworded and reformatted some of the original commit messages.
mod - account_page.php Diff File
mod - account_update.php Diff File
mod - core/constant_inc.php Diff File
mod - core/user_api.php Diff File
mod - css/default.css Diff File
mod - lang/strings_english.txt Diff File
mod - lost_pwd.php Diff File
mod - verify.php Diff File

MantisBT: master f7b11528

2016-05-16 13:19:42

cproensa


Committer: dregad Details Diff
Remove old code from account_page

After the new functionality of verify.php page was implemented (see
issue 0020686), account_page is no longer included, and some old code can
be removed.
mod - account_page.php Diff File

Issue History

Date Modified Username Field Change
2016-03-11 03:59 monochrome New Issue
2016-03-13 17:56 atrol Assigned To => atrol
2016-03-13 17:56 atrol Status new => resolved
2016-03-13 17:56 atrol Resolution open => no change required
2016-03-13 17:56 atrol Note Added: 0052763
2016-03-13 18:58 cproensa Status resolved => feedback
2016-03-13 18:58 cproensa Resolution no change required => reopened
2016-03-13 18:58 cproensa Note Added: 0052764
2016-03-13 20:40 cproensa Relationship added related to 0006009
2016-03-14 07:36 atrol Note Added: 0052765
2016-03-14 07:37 atrol Status feedback => confirmed
2016-03-14 07:37 atrol Product Version => 1.3.0-rc.1
2016-03-14 07:49 cproensa Note Added: 0052766
2016-03-14 15:31 atrol Note Added: 0052773
2016-03-14 15:31 atrol Assigned To atrol => cproensa
2016-03-31 05:06 cproensa Status confirmed => assigned
2016-05-14 12:30 dregad Changeset attached => MantisBT master d7b8d33e
2016-05-14 12:30 dregad Assigned To cproensa => dregad
2016-05-14 12:30 dregad Status assigned => resolved
2016-05-14 12:30 dregad Fixed in Version => 1.3.0-rc.2
2016-05-14 12:36 dregad Assigned To dregad => cproensa
2016-05-14 12:36 dregad Target Version => 1.3.0-rc.2
2016-05-14 12:36 dregad Summary Does not require to finish the registration. => Make sure new users complete the registration process
2016-05-14 12:36 dregad Description Updated View Revisions
2016-05-24 06:49 dregad Changeset attached => MantisBT master f7b11528
2016-06-12 00:42 vboctor Status resolved => closed
2016-11-18 05:23 cproensa Relationship added duplicate of 0021929
2016-11-18 05:29 cproensa Relationship replaced has duplicate 0021929