SUSPENDED account can +resetpassword and log in again
Bug #301720 reported by
Francis J. Lacoste
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Curtis Hovey |
Bug Description
SUSPENDED account can still use the +resetpassword page to reset their passwords. This logs them in and sets their password to a valid value which means that is_valid_person becomes True again.
The LoginOrRegister view doesn't check the account status either but simply is_valid_person.
I suggest we:
a) check the account status in LoginOrRegister
b) also check the account status when creating LoginToken for +resetpassword
Changed in launchpad-registry: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in launchpad-registry: | |
assignee: | salgado → sinzui |
Changed in launchpad-registry: | |
status: | Triaged → In Progress |
visibility: | private → public |
To post a comment you must log in.
We want to add a test that show that SUSPENDed accounts cannot use the +resetpassword.