[midPoint] Mail password reset bug
Radovan Semancik
radovan.semancik at evolveum.com
Tue Jul 4 10:18:40 CEST 2017
Hi,
In fact this is not a bug. Step 3 is in fact user authentication by the
means of nonce provided in the mail message. Therefore it is OK that the
user is logged in at this point. However, session authorizations are
limited, so the only thing the user is allowed to do is reset his own
password.
--
Radovan Semancik
Software Architect
evolveum.com
On 07/03/2017 09:31 PM, Wojciech Staszewski wrote:
> Got another "exotic bug". Lucky me... Today's snapshot.
>
> Reset password via mail. Steps to reproduce:
>
> 1. Open Midpoint login screen. Click "Forgot password"
> 2. Enter e-mail address, click "Reset password". The mail is sent.
> 3. Open the link from the mail. You will see the reset password form.
> Don't do anything on it.
> 4. Open Midpoint on another tab, or click "backward" on the
> "Confirmation link was sent" screen.
> 5. You're logged in.
>
> Regards,
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list