[PATCH] secure password reset implementation
Mads Kiilerich
mads at kiilerich.com
Sun Jul 26 19:33:46 UTC 2015
On 07/26/2015 08:58 PM, Andrew Shadura wrote:
> On 23/07/15 15:53, Mads Kiilerich wrote:
>> On 07/19/2015 03:35 PM, Andrew Shadura wrote:
>>> # HG changeset patch
>>> # User Andrew Shadura <andrew at shadura.me>
>>> # Date 1431821238 -7200
>>> # Sun May 17 02:07:18 2015 +0200
>>> # Node ID 98cb64feddfb89f106f66763462061fd2ca3f412
>>> # Parent f103b1a2383bc4fba5d28f9732ba832025e3bf00
>>> secure password reset implementation
>> A couple of other things:
>> It should make sure it doesn't go too far with changing passwords when
>> using external authentication (but also not reveal too much information
>> too early). (I guess it would be nice if each authentication module had
>> a customizable "tell the user how to change the password" string...)
> Right, I have to fix this.
...
> Or, actually, I don't need to fix it yet, as it does no harm at all for
> external users (it doesn't matter what we have in the database for them).
Agreed, it is an unrelated usability issue in this area.
>> The user is redirected to a " Code you received in the email" page ...
>> but the mail only contains a URL - no mentioning of any code.
> Could you please check once more? Because it's one of the things I have
> fixed in this revision of the patch.
Hmm. Right. Agreed.
/Mads
More information about the kallithea-general
mailing list