View Issue Details

IDProjectCategoryView StatusLast Update
0021793mantisbtadministrationpublic2016-10-30 23:22
ReportercproensaAssigned Tocproensa 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.2 
Target Version1.3.3Fixed in Version1.3.3 
Summary0021793: Password reset email is sent to disabled users
Description

When a user is disabled, in manage user page, the option to send a password reset is available, and it effectively sends an email with the activation token.
The user receiving the email will not be able to use it, since it is disabled anyway.
(On the other hand, a disabled user cannot request a forgotten password from the login page, which is expected)

Consider:

  • Throwing an error when an admin perform the operation for "reset password with email token"
  • Rethink which actions are shown to an admin for a disabled user in manage user page:
    Should the option to reset password be shown in any way?
    Could a disabled user have its password changed in any way, by email, or directly (blank, etc)?
    Shoud the admin be able to impersonate a disabled user?
TagsNo tags attached.

Activities

dregad

dregad

2016-10-11 06:36

developer   ~0054200

  • Throwing an error when an admin perform the operation for "reset password with email token"
    Should the option to reset password be shown in any way?

I would prefer to hide the option, rather than throw an error.

Could a disabled user have its password changed in any way, by email, or directly (blank, etc)?

In my opinion, no.

Shoud the admin be able to impersonate a disabled user?

I am not sure it makes sense, can't think of a scenario where it would be needed, but I don't think would hurt if we leave that open.

cproensa

cproensa

2016-10-11 07:23

developer   ~0054201

Shoud the admin be able to impersonate a disabled user?

I am not sure it makes sense, can't think of a scenario where it would be needed, but I don't think would hurt if we leave that open.

Actually, i havent tried yet, there is the possibility that the functionality is not complete, since some parts of code may check for a user to be enabled.

cproensa

cproensa

2016-10-15 15:38

developer   ~0054232

PR https://github.com/mantisbt/mantisbt/pull/917

Related Changesets

MantisBT: master-1.3.x 332f3ddf

2016-10-15 12:57:18

cproensa


Committer: vboctor Details Diff
Don't show reset option for disabled or protected users

Don't show the password reset option for disabled or protected users:
- Disabled users can't have email sent.
- Protected users must not have its password changed (and will show an
error anyway)

Fixes: 0021793
mod - manage_user_edit_page.php Diff File

Issue History

Date Modified Username Field Change
2016-10-11 05:16 cproensa New Issue
2016-10-11 06:36 dregad Note Added: 0054200
2016-10-11 07:23 cproensa Note Added: 0054201
2016-10-15 15:36 cproensa Assigned To => cproensa
2016-10-15 15:36 cproensa Status new => assigned
2016-10-15 15:38 cproensa Note Added: 0054232
2016-10-17 10:51 vboctor Changeset attached => MantisBT master-1.3.x 332f3ddf
2016-10-17 10:51 vboctor Assigned To cproensa => vboctor
2016-10-17 10:51 vboctor Status assigned => resolved
2016-10-17 10:51 vboctor Resolution open => fixed
2016-10-17 10:51 vboctor Fixed in Version => 1.3.3
2016-10-17 11:04 atrol Assigned To vboctor => cproensa
2016-10-17 11:04 atrol Target Version => 1.3.3
2016-10-30 23:22 vboctor Status resolved => closed