Make the password reset CLI script log out the user

Bug #1471103 reported by Aaron Wells on 2015-07-03
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Robert Lyon
16.10
Medium
Unassigned
17.04
Medium
Unassigned
17.10
Medium
Unassigned
18.04
Medium
Robert Lyon

Bug Description

In Bug 1396564 we added a command-line script for resetting Mahara passwords.

Robert pointed out that this script should end any current sessions for the user. The idea is that, if their password needs to be reset because their account has been hacked, then we should kick out any remaining sessions that are logged-in, because the attacker could use those to re-reset their password.

Aaron Wells (u-aaronw) wrote :
Changed in mahara:
status: New → In Progress
importance: Undecided → Low
milestone: none → 15.10.0
information type: Public → Public Security
Aaron Wells (u-aaronw) on 2016-04-28
no longer affects: mahara/15.10
no longer affects: mahara/16.04
Changed in mahara:
milestone: 15.10.1 → 16.10.0
Changed in mahara:
assignee: nobody → Aaron Wells (u-aaronw)
Robert Lyon (robertl-9) on 2016-10-20
Changed in mahara:
milestone: 16.10.0 → 16.10.1
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.1 → 17.04.0
Robert Lyon (robertl-9) on 2017-03-29
Changed in mahara:
status: In Progress → Confirmed
milestone: 17.04.0 → 17.10.0
importance: Low → Medium
assignee: Aaron Wells (u-aaronw) → nobody
Robert Lyon (robertl-9) on 2017-09-19
Changed in mahara:
milestone: 17.10.0 → 18.04.0
Robert Lyon (robertl-9) on 2017-10-27
Changed in mahara:
assignee: nobody → Robert Lyon (robertl-9)
Robert Lyon (robertl-9) on 2018-01-09
Changed in mahara:
status: Confirmed → In Progress

Reviewed: https://reviews.mahara.org/8412
Committed: https://git.mahara.org/mahara/mahara/commit/8224721372cbf66cf742938879fa0f30f18ca47f
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 8224721372cbf66cf742938879fa0f30f18ca47f
Author: Robert Lyon <email address hidden>
Date: Wed Jan 10 08:58:19 2018 +1300

Bug 1471103: Force user to login after password reset via CLI script

Kill any sessions that the account may have active

behatnotneeded

Change-Id: I602fe94262c453eae1f5e1faf83d7709720bd906
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2018-01-09
Changed in mahara:
status: In Progress → Fix Committed
Mahara Bot (dev-mahara) wrote :

Patch for "17.04_STABLE" branch: https://reviews.mahara.org/8414

Mahara Bot (dev-mahara) wrote :

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/8415

Reviewed: https://reviews.mahara.org/8415
Committed: https://git.mahara.org/mahara/mahara/commit/1463b86d6c414b94af7759924358c8a77c5572b2
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 1463b86d6c414b94af7759924358c8a77c5572b2
Author: Robert Lyon <email address hidden>
Date: Wed Jan 10 08:58:19 2018 +1300

Bug 1471103: Force user to login after password reset via CLI script

Kill any sessions that the account may have active

behatnotneeded

Change-Id: I602fe94262c453eae1f5e1faf83d7709720bd906
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8224721372cbf66cf742938879fa0f30f18ca47f)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8414
Committed: https://git.mahara.org/mahara/mahara/commit/a3f4c200910b98bdd0de19510cfac023eee5ad3e
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit a3f4c200910b98bdd0de19510cfac023eee5ad3e
Author: Robert Lyon <email address hidden>
Date: Wed Jan 10 08:58:19 2018 +1300

Bug 1471103: Force user to login after password reset via CLI script

Kill any sessions that the account may have active

behatnotneeded

Change-Id: I602fe94262c453eae1f5e1faf83d7709720bd906
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8224721372cbf66cf742938879fa0f30f18ca47f)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8413
Committed: https://git.mahara.org/mahara/mahara/commit/3996e0a7b8cb5e141419acfbaeb1ec9f8b537cd9
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.10_STABLE

commit 3996e0a7b8cb5e141419acfbaeb1ec9f8b537cd9
Author: Robert Lyon <email address hidden>
Date: Wed Jan 10 08:58:19 2018 +1300

Bug 1471103: Force user to login after password reset via CLI script

Kill any sessions that the account may have active

behatnotneeded

Change-Id: I602fe94262c453eae1f5e1faf83d7709720bd906
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8224721372cbf66cf742938879fa0f30f18ca47f)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers