Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reset password #932

Open
rudy1976s opened this issue Jan 15, 2021 · 1 comment
Open

Reset password #932

rudy1976s opened this issue Jan 15, 2021 · 1 comment

Comments

@rudy1976s
Copy link

Hello
After a successfull reset password, the Users.resetPasswordUserId session key is persisted.

in PasswordManagementTrait there is check to validate the reset password confirmation workflow :

$user->id = $this->getRequest()->getSession()->read(
                Configure::read('Users.Key.Session.resetPasswordUserId')
            );

DO you think would be better to delete it to prevent access to reset-password page without the confirmation workflow ?

I added it in on my subclass of the trait before dispatching EVENT_AFTER_CHANGE_PASSWORD.

Now if user try to access the reset url without requesting a password it will be redirected to login .

Rudy
@ajibarra
Copy link
Member

@rudy1976s is this still an issue in latest version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ajibarra @rudy1976s