SUSPENDED account can +resetpassword and log in again
Bug #301720 reported by
Francis J. Lacoste
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Curtis Hovey | ||
Bug Description
SUSPENDED account can still use the +resetpassword page to reset their passwords. This logs them in and sets their password to a valid value which means that is_valid_person becomes True again.
The LoginOrRegister view doesn't check the account status either but simply is_valid_person.
I suggest we:
a) check the account status in LoginOrRegister
b) also check the account status when creating LoginToken for +resetpassword
| Changed in launchpad-registry: | |
| importance: | Undecided → High |
| status: | New → Triaged |
Revision history for this message
| Curtis Hovey (sinzui) wrote | #1 |
| Changed in launchpad-registry: | |
| assignee: | nobody → salgado |
| milestone: | none → 2.1.12 |
| Changed in launchpad-registry: | |
| assignee: | salgado → sinzui |
| Changed in launchpad-registry: | |
| status: | Triaged → In Progress |
Revision history for this message
| Curtis Hovey (sinzui) wrote | #2 |
| Changed in launchpad-registry: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Curtis Hovey (sinzui) wrote | #3 |
| Changed in launchpad-registry: | |
| status: | Fix Committed → Fix Released |
| visibility: | private → public |
To post a comment you must log in.
We want to add a test that show that SUSPENDed accounts cannot use the +resetpassword.