0020686: Make sure new users complete the registration process - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0020686	mantisbt	authentication	public	2016-03-11 03:59	2019-01-11 06:38

Reporter	monochrome	Assigned To	cproensa
Priority	low	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0-rc.1
Target Version	1.3.0-rc.2	Fixed in Version	1.3.0-rc.2

Summary	0020686: Make sure new users complete the registration process
Description	The system allows new users to login to MantisBT without setting their password in the verification page.
Steps To Reproduce	1) After registering your username, click the verification link in your email. 2) Page will ask to register new password. Input new password but don't click on Update user yet. 3) Instead, click on My Account link. 4) Page will be redirected to requiring username and password. 5) Input password. Invalid username or password message appears. 6) Input a blank password. Invalid username or password message appears.
Tags	No tags attached.

atrol 2016-03-13 17:56 developer ~0052763	monochrome, I was not able to reproduce your problem with a fresh install of the latest stable MantisBT release (1.2.19 at the moment). If you are running an older version, I recommend that you upgrade to the latest (download from [1]). If after doing so the problem persists, do not hesitate to reopen the issue and provide detailed step-by-step instructions to reproduce the issue; the following additional information may also be useful: Exact version of MantisBT, PHP, Database, Web server, Browser and Operating System Relevant customizations (e.g. changes in config_inc.php, etc) Installed plugins or custom functions ? Was the MantisBT source code modified in any way ? [1] http://mantisbt.org/download.php

cproensa 2016-03-13 18:58 developer ~0052764	@atrol Original description is not very precise, but i think this is what is happening: When the user cliks on a link for a new user activation, or for a password reset, the user is actually logged in the application, and can navigate to other pages like preferences, view bugs, etc if the user logs out without setting the new password, no further log in is possible, because the actual password was not set and the activation link has been expired I think the fix may be: When the user open the link for activation/password reset, make that page a dedicated one, no other navigation should be possible. Don't expire the activation token if the user didn't change the password.

atrol 2016-03-14 07:36 developer ~0052765	@cproensa, I checked 1.2.x and was not able to reproduce the issue. You are right in terms of what you described for 1.2.x. if the user logs out without setting the new password, no further log in is possible, because the actual password was not set and the activation link has been expired I think this is not the best solution but acceptable, as the user can use the "Forgot password" link. Now I checked also 1.3 and I am able to reproduce the steps that @monochrome entered.

cproensa 2016-03-14 07:49 developer ~0052766	After seeing this issue, I now understand most of the complaints that i get from new users about not being able to enter mantis, probably the second time they tried. User receives the new user email, opens the link, and starts browsing the site right away. They didn't read the email that says that they should set the new password, neither did they read the warnings on the account page. That's why is suggest that the password reset page be a dedicated page, where the only thing you can do is that! Requesting the "forgot password" functionality, on a non confirmed new account, may become unavailable if we implement some of the proposals for not sending mail to unconfirmed accounts (for spam concerns)

atrol 2016-03-14 15:31 developer ~0052773	PR https://github.com/mantisbt/mantisbt/pull/735

MantisBT: master d7b8d33e 2016-05-14 08:26 dregad Details Diff	Manage the password reset hash as a token Refactor verify.php to be a not-logged-in page (like login_page.php), so the only action the user can do is change the password, and not navigate into the site. If the user does not change the password and quits the page, the activation token remains valid until the change is effectively done (or the token times out) Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735 Note: I reworded and reformatted some of the original commit messages.		Affected Issues 0006009, 0020686
	mod - account_page.php		Diff File
	mod - account_update.php		Diff File
	mod - core/constant_inc.php		Diff File
	mod - core/user_api.php		Diff File
	mod - css/default.css		Diff File
	mod - lang/strings_english.txt		Diff File
	mod - lost_pwd.php		Diff File
	mod - verify.php		Diff File
MantisBT: master f7b11528 2016-05-16 09:19 cproensa Committer: dregad Details Diff	Remove old code from account_page After the new functionality of verify.php page was implemented (see issue 0020686), account_page is no longer included, and some old code can be removed.		Affected Issues 0020686
	mod - account_page.php		Diff File