XMLRPC automatic user creation and password recovery issue
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Low
|
Ruslan Kabalin | ||
Bug Description
Something to think about. The use case is:
1. Create user in moodle that would have the similar username and email to the one that already exists in Mahara (ensure "we auto-create the user" is set in XMLRPC settings). Say, we created user "test1".
2. Login to Mahara from Moodle, the new user with amended username will be created (test11). At this point we have two different usernames with the same email in Mahara.
3. Now, if original test1 forgot a password, (s)he will only be able to use username-based recovery in "Lost username/password", entering email will ends with error "The email address or username you entered doesn't match any users for this site".
The easiest way is probably ensuring that password recovery can be requested for internal users only.
| Changed in mahara: | |
| assignee: | nobody → Ruslan Kabalin (ruslan-kabalin) |
| importance: | Undecided → Low |
| Ruslan Kabalin (rkabalin) wrote | #1 |
| Changed in mahara: | |
| status: | New → Fix Committed |
| Changed in mahara: | |
| milestone: | none → 1.4.0 |
| status: | Fix Committed → Fix Released |
Just pushed the fix. It is now ensured that password recovery is requested for internal users only.