View Issue Details

IDProjectCategoryView StatusLast Update
0020816mantisbtauthenticationpublic2016-06-12 00:42
Reportercproensa Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-rc.1 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0020816: user verification / password reset allows setting of empty password
Description

On account verification, or password reset, when the user is prompted for a new password, a blank password is allowed to be entered

This may happens on two situations:

  • Administrator resets a user password
    The user password is set to a random one, and the email notification is sent.
    If user fails to update his password, he cant log in again, because the random password has been kept.
  • User uses "forgotten password functionality".
    The notification allows the user to go to account update page, if not filled in, the old password is still active (which the user forgot, so probably cant log in again)

This situation is aggravated if the activation link was expired of first use

TagsNo tags attached.

Relationships

related to 0006009 closedcproensa Cannot change password in second enter to verification page 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 01affc80

2016-04-17 08:48

cproensa

Committer: dregad


Details Diff
Do not allow blank password on account verification

Fixes 0020816
Affected Issues
0020816
mod - account_update.php Diff File