#10589 closed defect (bug) (invalid)
Changeset 11804 breaks password reminder
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.8.3 |
| Component: | Security | Keywords: | has-patch reporter-feedback |
| Focuses: | Cc: |
Description
Shouldn't it also try the email?
Attachments (1)
Change History (8)
#1
@
15 years ago
- Keywords has-patch added
- Summary changed from Changeset 10804 breaks password reminder to Changeset 11804 breaks password reminder
#2
follow-up:
↓ 4
@
15 years ago
- Keywords reporter-feedback added
- Owner changed from ryan to westi
- Priority changed from high to normal
- Severity changed from blocker to normal
- Status changed from new to accepted
#3
@
15 years ago
Exactly, the user_login is included in the custom URL in the password reset email (line 164). Where would the user_email come from so it limits the query on line 196?
#4
in reply to:
↑ 2
@
15 years ago
Replying to westi:
Why do we need to check the email.
Because, if you use the form, it says enter your username or email. That would be why.
Note: See
TracTickets for help on using
tickets.
Why do we need to check the email.
This code is processing the link that the user clicks on or copies from the email they are sent by the password reset request form.
The data is never user entered and the email contains the username even when they specify an email address.