View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020686 | mantisbt | authentication | public | 2016-03-11 03:59 | 2019-01-11 06:38 |
Reporter | monochrome | Assigned To | cproensa | ||
Priority | low | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-rc.1 | ||||
Target Version | 1.3.0-rc.2 | Fixed in Version | 1.3.0-rc.2 | ||
Summary | 0020686: Make sure new users complete the registration process | ||||
Description | The system allows new users to login to MantisBT without setting their password in the verification page. | ||||
Steps To Reproduce | 1) After registering your username, click the verification link in your email. | ||||
Tags | No tags attached. | ||||
monochrome, I was not able to reproduce your problem with a fresh install of the latest stable MantisBT release (1.2.19 at the moment). If you are running an older version, I recommend that you upgrade to the latest (download from [1]). If after doing so the problem persists, do not hesitate to reopen the issue and provide detailed step-by-step instructions to reproduce the issue; the following additional information may also be useful:
|
|
@atrol
I think the fix may be:
|
|
@cproensa, I checked 1.2.x and was not able to reproduce the issue.
I think this is not the best solution but acceptable, as the user can use the "Forgot password" link. Now I checked also 1.3 and I am able to reproduce the steps that @monochrome entered. |
|
After seeing this issue, I now understand most of the complaints that i get from new users about not being able to enter mantis, probably the second time they tried. User receives the new user email, opens the link, and starts browsing the site right away. They didn't read the email that says that they should set the new password, neither did they read the warnings on the account page. That's why is suggest that the password reset page be a dedicated page, where the only thing you can do is that! Requesting the "forgot password" functionality, on a non confirmed new account, may become unavailable if we implement some of the proposals for not sending mail to unconfirmed accounts (for spam concerns) |
|
MantisBT: master d7b8d33e 2016-05-14 08:26 Details Diff |
Manage the password reset hash as a token Refactor verify.php to be a not-logged-in page (like login_page.php), so the only action the user can do is change the password, and not navigate into the site. If the user does not change the password and quits the page, the activation token remains valid until the change is effectively done (or the token times out) Fixes 0020686, 0006009, https://github.com/mantisbt/mantisbt/pull/735 Note: I reworded and reformatted some of the original commit messages. |
Affected Issues 0006009, 0020686 |
|
mod - account_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - lost_pwd.php | Diff File | ||
mod - verify.php | Diff File | ||
MantisBT: master f7b11528 2016-05-16 09:19 Committer: dregad Details Diff |
Remove old code from account_page After the new functionality of verify.php page was implemented (see issue 0020686), account_page is no longer included, and some old code can be removed. |
Affected Issues 0020686 |
|
mod - account_page.php | Diff File |