Skip to content

allow using of disabled password reset mechanism for special cases #28794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Pytal merged 1 commit into from
Sep 15, 2021
Merged

allow using of disabled password reset mechanism for special cases #28794

Pytal merged 1 commit into from
Sep 15, 2021

Conversation

@blizzz
Copy link
Member

@blizzz blizzz commented Sep 10, 2021
edited by skjnldsv
Loading

  • LostController has three endpoints
  • door opener email() still rejects
  • resetform(), reachable from mail, checks the token first and may report
    that password reset is disabled
  • setPassword() got its check removed as it is behind CSFR anyway and still
    requires a valid token
  • this allows special cases like activating a freshly created guest account

fixes nextcloud/guests#85

How to reproduce

  1. add to config.php: 'lost_password_link' => 'disabled',
  2. enable guest app
  3. invite guest user
  4. on the received invitation email, click "activate"

@blizzz blizzz added this to the Nextcloud 23 milestone Sep 10, 2021
@blizzz blizzz requested review from a team, CarlSchwan, ChristophWurst, Pytal, icewind1991 and skjnldsv and removed request for a team September 10, 2021 20:43
@blizzz blizzz mentioned this pull request Sep 10, 2021
Closed
@blizzz blizzz force-pushed the fix/noid/guest-activation-pwd-reset-disabled branch from 7c786b4 to a843d3c Compare September 10, 2021 20:47
@blizzz
allow using of disabled password reset mechanism for special cases
a843d3c 
- LostController has three endpoints
- door opener email() still rejects
- resetform(), reachable from mail, checks the token first and may report
  that password reset is disabled
- setPassword() got its check removed as it is behind CSFR anyway and still
  requires a valid token
- this allows special cases like activating a freshly created guest account

Signed-off-by: Arthur Schiwon <[email protected]>
@skjnldsv
Copy link
Member

skjnldsv commented Sep 14, 2021

Nice catch!

@skjnldsv

This comment has been minimized.

Sign in to view
@blizzz

This comment has been minimized.

Sign in to view
@Pytal Pytal merged commit 3a94d7c into master Sep 15, 2021
@Pytal Pytal deleted the fix/noid/guest-activation-pwd-reset-disabled branch September 15, 2021 01:29
@Pytal Pytal added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Sep 15, 2021
@Pytal
Copy link
Member

Pytal commented Sep 15, 2021

/backport to stable22

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Sep 15, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

@Pytal Pytal Pytal approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

Assignees

No one assigned

Labels

4. to release Ready to be released and/or waiting for tests to finish bug feature: users and groups

Projects

None yet

Milestone

Nextcloud 23

Development

Successfully merging this pull request may close these issues.

Password change is disabled

4 participants

@blizzz @skjnldsv @Pytal