Open rudy1976s opened 3 years ago
Hello After a successfull reset password, the Users.resetPasswordUserId session key is persisted.
in PasswordManagementTrait there is check to validate the reset password confirmation workflow :
$user->id = $this->getRequest()->getSession()->read( Configure::read('Users.Key.Session.resetPasswordUserId') );
DO you think would be better to delete it to prevent access to reset-password page without the confirmation workflow ?
I added it in on my subclass of the trait before dispatching EVENT_AFTER_CHANGE_PASSWORD.
Now if user try to access the reset url without requesting a password it will be redirected to login .
Rudy
@rudy1976s is this still an issue in latest version?
Hello After a successfull reset password, the Users.resetPasswordUserId session key is persisted.
in PasswordManagementTrait there is check to validate the reset password confirmation workflow :
DO you think would be better to delete it to prevent access to reset-password page without the confirmation workflow ?
I added it in on my subclass of the trait before dispatching EVENT_AFTER_CHANGE_PASSWORD.
Now if user try to access the reset url without requesting a password it will be redirected to login .
Rudy