mahara-contributors team mailing list archive

Thread
Date

[Bug 1284876] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1284876@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Apr 2014 03:18:48 -0000
Reply-to: Bug 1284876 <1284876@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/3160
Committed: http://gitorious.org/mahara/mahara/commit/3475f03a3569b91ea787bc0049d85c1b4c77896d
Submitter: Son Nguyen (son.nguyen@xxxxxxxxxxxxxxx)
Branch:    1.6_STABLE

commit 3475f03a3569b91ea787bc0049d85c1b4c77896d
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Wed Feb 26 12:28:35 2014 +1300

Check that account is valid before logging in via password reset

Bug1284876: Without this, a suspended user can log in via a password
reset email

Change-Id: I5cb8f2978cdc2c6c0a6975a3fbfd2dfdc1d9bcc5

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1284876

Title:
  Suspended users can log in via password reset email

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.6 series:
  In Progress
Status in Mahara 1.7 series:
  In Progress
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed

Bug description:
  To replicate:

  1. Suspend a user account
  2. Log out
  3. Click on the "forgot password" link, and enter the username for the suspended user
  4. Receive the password reset email for that user, click on the link
  5. The link takes you to the password reset screen. Fill in a new password there and click submit button

  Expected Result: You should see the screen that says "Your account has
  been suspended as of Wednesday, 26 February 2014. The reason for your
  suspension is: %s"

  Actual Result: You are logged in!

  The good news is that don't seem to be able to interact with anybody.
  All attempts to send messages or create content give an error message
  which includes the account suspension message and reason. However, you
  can still read other people's content, and I haven't exhaustively
  checked for all modes of interaction, so there still might be
  something malicious you can do.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1284876/+subscriptions