0021793: Password reset email is sent to disabled users - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0021793	mantisbt	administration	public	2016-10-11 05:16	2016-10-30 23:22

Reporter	cproensa	Assigned To	cproensa
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.3.2
Target Version	1.3.3	Fixed in Version	1.3.3

Summary	0021793: Password reset email is sent to disabled users
Description	When a user is disabled, in manage user page, the option to send a password reset is available, and it effectively sends an email with the activation token. The user receiving the email will not be able to use it, since it is disabled anyway. (On the other hand, a disabled user cannot request a forgotten password from the login page, which is expected) Consider: Throwing an error when an admin perform the operation for "reset password with email token" Rethink which actions are shown to an admin for a disabled user in manage user page: Should the option to reset password be shown in any way? Could a disabled user have its password changed in any way, by email, or directly (blank, etc)? Shoud the admin be able to impersonate a disabled user?
Tags	No tags attached.

dregad 2016-10-11 06:36 developer ~0054200	Throwing an error when an admin perform the operation for "reset password with email token" Should the option to reset password be shown in any way? I would prefer to hide the option, rather than throw an error. Could a disabled user have its password changed in any way, by email, or directly (blank, etc)? In my opinion, no. Shoud the admin be able to impersonate a disabled user? I am not sure it makes sense, can't think of a scenario where it would be needed, but I don't think would hurt if we leave that open.

cproensa 2016-10-11 07:23 developer ~0054201	Shoud the admin be able to impersonate a disabled user? I am not sure it makes sense, can't think of a scenario where it would be needed, but I don't think would hurt if we leave that open. Actually, i havent tried yet, there is the possibility that the functionality is not complete, since some parts of code may check for a user to be enabled.

cproensa 2016-10-15 15:38 developer ~0054232	PR https://github.com/mantisbt/mantisbt/pull/917

MantisBT: master-1.3.x 332f3ddf 2016-10-15 08:57 cproensa Committer: vboctor Details Diff	Don't show reset option for disabled or protected users Don't show the password reset option for disabled or protected users: - Disabled users can't have email sent. - Protected users must not have its password changed (and will show an error anyway) Fixes: 0021793		Affected Issues 0021793
	mod - manage_user_edit_page.php		Diff File