[PATCH] secure password reset implementation
Thomas De Schampheleire
patrickdepinguin at gmail.com
Thu Jul 23 16:28:02 UTC 2015
On July 23, 2015 3:53:34 PM CEST, Mads Kiilerich <mads at kiilerich.com> wrote:
>On 07/19/2015 03:35 PM, Andrew Shadura wrote:
>> # HG changeset patch
>> # User Andrew Shadura <andrew at shadura.me>
>> # Date 1431821238 -7200
>> # Sun May 17 02:07:18 2015 +0200
>> # Node ID 98cb64feddfb89f106f66763462061fd2ca3f412
>> # Parent f103b1a2383bc4fba5d28f9732ba832025e3bf00
>> secure password reset implementation
>
>A couple of other things:
>
>It should make sure it doesn't go too far with changing passwords when
>using external authentication (but also not reveal too much information
>
>too early). (I guess it would be nice if each authentication module had
>
>a customizable "tell the user how to change the password" string...)
Related to this, ldap users currently (without patch, I haven't checked with) see a password reset link that actually sends a mail but without effect on the password. This is confusing and wrong.
More information about the kallithea-general
mailing list