Auth pending-approval action_token overwritten by reset-password-request #722
Comments
|
Very good catch. Will fix this asap
…On Mon, May 2, 2022, 01:36 zejdad ***@***.***> wrote:
It is very easy to circumvent the admin approval requirement of the Auth
fixture. If a user whose account is pending asks for a password reset, the
registration pending action token gets replaced with a password renewal
token. After user changes the password, he is let in without any admin
intervention. Perhaps, tokens should not be replaced but chained in the
action_token field?
—
Reply to this email directly, view it on GitHub
<#722>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHLZT5JZ2KOU75IYMSC32DVH6HX7ANCNFSM5U3K5BRA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is very easy to circumvent the admin approval requirement of the Auth fixture. If a user whose account is pending asks for a password reset, the registration pending action token gets replaced with a password renewal token. After user changes the password, he is let in without any admin intervention. Perhaps, tokens should not be replaced but chained in the action_token field?
The text was updated successfully, but these errors were encountered: