[Tickets #10430] Forgot Password dialog presents empty security question if none is set

bugs at horde.org bugs at horde.org
Tue Aug 16 10:52:37 UTC 2011


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/10430
------------------------------------------------------------------------------
  Ticket             | 10430
  Created By         | Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de>
  Summary            | Forgot Password dialog presents empty security question
                     | if none is set
  Queue              | Horde Base
  Version            | Git master
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de> (2011-08-16 10:52) wrote:

HOW TO REPRODUCE:
A user enters an alternate_email but no security question/answer.
He logs out and clicks "Forgot password".
He provides username and alternate email.

EFFECT:
He is presented an empty security question and an answer field which  
does not accept any input (empty line complains about "required", any  
input would not match backend content.

EXPECTED BEHAVIOUR:

Either do not present security question if none is set or forbid reset  
self service if none is set. I would go for the former though there is  
a slight potential of DoS in setups where alternate_email is  
auto-set/required.

ACTION:

I would patch that according to "do not present security question if  
none is set ".
Please post any disagreements.






More information about the bugs mailing list