one-time link in password reset email should validate the users account
mrfelton - October 9, 2009 - 13:05
| Project: | LoginToboggan |
| Version: | 6.x-1.5 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Description
If you are requiring that a user enter the password on the registration page, they get added in to the pre_authenticated role, and they get an email with the validation link.
If the user follows the link in the email all is cool and they get logged in and removed from the pre auth role.
However, if the user uses the 'reset password' form, they get send a one-time login link by user.module. When they click on the link, they are logged in to their account and they can change their password etc. But, they are not removed from the pre authenticated role, even though they have effectively just verified their email by clicking the login link that was sent to them by user.module.
#1
please try out this patch on the latest 6.x-1.x-dev code, and let me know if it works. please test both the regular validation link that LT sends out, and the password reset approach. lemme know what you find.
#2
Yep, that works perfectly for both methods (the lt validation link, and the password reset on-time link). Thank you.
#3
committed to 5.x-1.x-dev, 6.x-1.x-dev, and HEAD. thanks for the catch and the testing!
#4
Automatically closed -- issue fixed for 2 weeks with no activity.