#602 Lost Password can be used as denial of service or annoyance
Closed: Won't Fix a year ago by wombelix. Opened 8 years ago by puiterwijk.

At this moment, as soon as someone uses the lost password function for an account, that account is unable to login (even with the correct password), because user.token is set.
This can be used to deny a user access if they lost access to the email address (so they can't even login to update the address if someone else hit Lost Password on them), or as a major annoyance because the user will be unable to login until they go to their email, click the link, and change their password.

We should probably either have a user.token_type attribute that's set to 'emailconfirmation' or 'lostpassword', or a second user.lost_password_token field, to make sure we can decide whether the user has a token because they need to confirm their email address or because they wanted to reset their password.


The last update was 7 years ago, no further requests, updates or actionable tasks since then, I'm going to close this issue for now to reduce our backlog.

Metadata Update from @wombelix:
- Issue close_status updated to: Won't Fix
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata