#602 Lost Password can be used as denial of service or annoyance
Opened 4 years ago by puiterwijk. Modified 4 years ago

At this moment, as soon as someone uses the lost password function for an account, that account is unable to login (even with the correct password), because user.token is set.
This can be used to deny a user access if they lost access to the email address (so they can't even login to update the address if someone else hit Lost Password on them), or as a major annoyance because the user will be unable to login until they go to their email, click the link, and change their password.

We should probably either have a user.token_type attribute that's set to 'emailconfirmation' or 'lostpassword', or a second user.lost_password_token field, to make sure we can decide whether the user has a token because they need to confirm their email address or because they wanted to reset their password.

Login to comment on this ticket.