mahara-contributors team mailing list archive

Thread
Date

[Bug 1284876] A patch has been submitted for review

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1284876@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Apr 2014 23:27:09 -0000
Reply-to: Bug 1284876 <1284876@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Patch for "1.6_STABLE" branch: https://reviews.mahara.org/3160

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1284876

Title:
Suspended users can log in via password reset email

Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.6 series:
In Progress
Status in Mahara 1.7 series:
In Progress
Status in Mahara 1.8 series:
Fix Committed
Status in Mahara 1.9 series:
Fix Committed

Bug description:
To replicate:

1. Suspend a user account
2. Log out
3. Click on the "forgot password" link, and enter the username for the suspended user
4. Receive the password reset email for that user, click on the link
5. The link takes you to the password reset screen. Fill in a new password there and click submit button

Expected Result: You should see the screen that says "Your account has
been suspended as of Wednesday, 26 February 2014. The reason for your
suspension is: %s"

Actual Result: You are logged in!

The good news is that don't seem to be able to interact with anybody.
All attempts to send messages or create content give an error message
which includes the account suspension message and reason. However, you
can still read other people's content, and I haven't exhaustively
checked for all modes of interaction, so there still might be
something malicious you can do.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1284876/+subscriptions