KARL3

Remove any places where a password goes out in email

Bug #601109 reported by Paul Everitt on 2010-07-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	Medium	JimPGlenn	KARL3 m43

Bug Description

It's been asserted that for some interaction with some group (perhaps "change password" for affiliates), we send out the password in an email.

As the first step in this task, scan all the email templates and report back any occurrences where a password goes out in email. Remember to also look in the OSI customization package.

Once we see where the problem is, we'll give some detail on what to replace it with for the second part of the task.

Test Plan
==========

1) Login as an affiliate.

2) Go to MY PROFILE, then Edit, then click the "Change Password" link at the end of the introductory paragraph.

3) Complete the process of changing your password. Make sure you can safely change your password.

4) Also, ensure that you do NOT receive an email message during the course of changing your password.

See original description

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-07-02:

Carlos, let's make this the next thing you do in M43 once you reply about whether lp:601099 is quick.

Changed in karl3:
assignee:	nobody → Carlos de la Guardia (cguardia)
importance:	Undecided → Medium
milestone:	none → m43

Carlos de la Guardia (cguardia) on 2010-07-02

Changed in karl3:
status:	New → In Progress

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2010-07-03:

Do all mail templates start with email_ or is it possible that some don't? If they do, then the only one I could find was email_change_password.pt.

If it's possible that some other view or template that does not have email in the name is an email template, I might need to take a deeper look.

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-07-03:

Assigning to Jason to give us the new text for what the email_change_password.pt template should have.

It currently says:

  <body>
    <div>Your user name for ${system_name} is <em>${login}</em>.</div>
    <div>Your new password is <em>${password}</em>.</div>
  </body>

Some of the possible choices:

1) Send an email simply noting that the password on the account ${login} for the ${system_name} was recently changed.

2) Don't send an email when the password has been changed.

Both of those choices are under 1h of work, including tidying up (unit tests, staging testing).

Changed in karl3:
assignee:	Carlos de la Guardia (cguardia) → Jason Lantz (jasontlantz)

Revision history for this message

Jason Lantz (jasontlantz) wrote on 2010-07-06:

I am in favor of option 2, not sending an email

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-07-06:

Re-assigning to Carlos to finish based on Jason's response.

Changed in karl3:
assignee:	Jason Lantz (jasontlantz) → Carlos de la Guardia (cguardia)

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-07-07:

Carlos, you still planning to work on this one?

Carlos de la Guardia (cguardia) on 2010-07-07

Changed in karl3:
status:	In Progress → Fix Committed

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2010-07-07:

Wrote a test plan in the body of the ticket and assigned to Jim for testing.

description:	updated
Changed in karl3:
assignee:	Carlos de la Guardia (cguardia) → JimPGlenn (jpglenn09)

Revision history for this message

JimPGlenn (jpglenn09) wrote on 2010-07-09:

fixed

Changed in karl3:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.