Uploaded image for project: 'GateIn Portal'
  1. GateIn Portal
  2. GTNPORTAL-880

password recovery may change anyone's password

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 3.0.0-GA
    • Fix Version/s: 3.0.0-GA
    • Component/s: None
    • Labels:

      Description

      It looks like anyone can change anyone else's password by using the forgot username function.

      A first annoyance is that you can easily lock the default root account like this :
      Sign in > Forgot Username / Password > Forgot My Password
      Enter 'root'
      Now try to login with root / gtn >> you can't.

      What Happened ?
      Gatein has generated a new password for root and sent it to the default email address which is.... root@localhost .

      Using this function anyone would be able to change anyone else password.

      The flow for password recovery should not regenerate a new password until the user has confirmed by clicking a generated URI in the email.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  theute Thomas Heute
                  Reporter:
                  plamarque Patrice Lamarque
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: