I set up user 1 on my experimental site with the name "admin", and at some point was playing with the "request new password" dialog. I typed "admin" into the dialog and hit the "Email new password" button. Drupal did exactly that - it changed the password to my admin account.
I was surprised how easy that was for anyone to do. There were no restrictions on who could change the admin password, as long as they knew there was an "admin" account. Given that I know loads of account names in drupal.org (there are thousands all through these forums) can't I use this to change someone's password without their wanting to?
I'm not suggesting it's a security issue - after all the new password goes to the user, not me - but it would be a damn inconvienence. I can set any user such that they can't get into their drupal.org account without going to their email to find the new password, can't I?
If my site goes live I'd be inclined to change the code such that in order to get a new password, the user has to supply both the username (which everyone knows) and the email address (which would be a lot harder to find out).
Or have I got this wrong?
Comments
right
you are right, there used to be a unique url you had to visit mailed to the user /before/ the password was changed. it might be good to reintroduce that functionality.
--
groets
bertb
--
groets
bert boerland
umm, uh..
I think you have it backward. 4.6 this was identified as an issue of long standing and in 4.7 someone supplied the code for the current email unique URL to change password .....
I think the existing password will work and the link will time out but don't have time to check
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
way before
in the earlier versions of drupal (2? 3?) , there /was/ this functionality that is out 4.6 and is now back again in 4.7; an unique url. so no, i dont have it backwards.
--
groets
bertb
--
groets
bert boerland
I don't remember now but I
I don't remember now but I saw that this issue was discussed. Maybe there will be a better request new password function in 4.7 version.
disable request password change.
There have been several inquiries on here that asked if the "request password change"
could be disabled all together.
since Groups still don't work quite as I imagined it, a site I run actually has users sharing a logon name.
it would be nice to have a group and several users under it, but until that is perfected, i think sharing a logon name works.... and users shouldn't have the ability to reset passwords in that scenario.
thanks.
modified user.module
I've had a simular problem where we wanted to maintain a database of users end their passwords.
Our users tend to use the phone if they lost a password.
I've modified the user module so the link to request a new password doesn't appear on the bottom of the login-block. A user can still change his password through the account settings page.
Using the user_readonly module you can make certain profile fields such as a password field, read_only for the user.
http://drupal.org/node/53103
Curently combining both makes it impossible for a regular user to change his password.
I can't upload the file here, send me a message and i'll mail it to you.
PS: the hole group thing is possible but it sure is a pain to get everything working. It depends on the group structure I thing. and what you want to do with it.
Defining groups as users would be a great improvement for larger sites. Ill make a different post about it later. Maybe get a discussion going about it
user.module modifications
Hi,
I've run into similar problems where I don't want people to request for a new password.
I tried to modify user.module but that didn't have the desired effect. I even commented out the lines of code that produced the link(or so I thought).
Is there a painless way to do this?
Thanks