I have seen this issue several time out there but no real solution.
Problem:
Any user can force another user's password to change... simply by selecting "request new password" and putting in their username. The user gets an email with the new.. but this feels like a violation to the user... and a pain.
Solution?
If someone requests a new password... Don't blindly change it... send an email that says...."Is this a real request authorized by you? Click here to confirm otherwise disregard this message"
Has anyone introduced this change already in 4.5 or even a planned release to 4.6 that could be backported?
David McIntosh
neofactor.com
Comments
no action yet
noone has contributed code for this. it is desired by all, i'm sure.
If it is so needed... why so long?
Hopefully Dries is looking into this as an imporrtant contribution to 4.6 release.
I will look at the module and try and set up a scope of work document... and take a stab at it... but if someone has already started.. please tell me.
David McIntosh
neofactor.com
he isn't
you are misunderstanding how this project works. dries is not looking into this. he will only start looking when someone submits a patch for review. this feature is likely taking so long because no developer cares enough to do something about it.
Patch is in
Patch request submitted: http://drupal.org/node/18719
David McIntosh
neofactor.com
There are probably several
There are probably several similar feature requests. Simply submitting them won't get the job done. Attaching a patch might. ;-)
--
If you have troubles with a particular contrib project, please consider filing a support request. Thanks. And, by the way, Drupal 4.6 will support PHP 5.
--
Drupal services
My Drupal services
Initial Lockdown
OK... as a start I modified my user.module to prevent acount ids less than 10 to not be able to request a password reset. This way my Admin account and core content providers are safe. They should be smart enough to not "forget their password" anyways. Shame on them if they do!
Here is the Code I added around line 911:
Just above this code:
This is only a stop gap measure... I was thinking the next quick fix could be to require the Username and Email address... at present you can simply see a username in the posts and request a password reset... that would mess with people royally. At least with requiring both, it would be harder to guess the pairs.
Just a thought. Hope this helps someone.
David McIntosh
this is planned
I plan on writing the code for this quite soon.
But we're looking at a 4.7 thing.
--
The future is so Bryght, I have to wear shades.
Keep me posted please
Keep me posted please... I would love to contribute to the project.
One Note... the code above ... I changed mine to be ==1 so just the admin was excluded ... otherwise I got a red error around the default request password form... will tweak more... and see.
David McIntosh
Let's begin
This was planned as an add on module. It's untested but it's code to begin with. Comment out the two lines that registers user/password in user_menu. You need a pwdreset table for this
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
You Rock
I will test it out and let you know...Thanks so much for the patch.
I was up last night working on it as well, but yours is way ahead.
David McIntosh
neofactor.com
Just noticed this
Juts noticed this and I was wondering how the testing went, this patch looks very promising indeed.
Request New Password Security
Wouldn't it be easier (and safer) for everyone to just require the user to provide their email address instead of their username to request a new password?
It seems like that's what most of the big sites I frequent require.
Jeff
Bloggator.com
Get your blog on.
** Cross Post **
I posted to module patch request area and there was a lot of progress...
Read about it all here: http://drupal.org/node/18719
David McIntosh
neofactor.com