AccountController ForgotPassword should check the UserId before ResetPassword - Githubissues

aspnet / Templates

This repo is OBSOLETE - please see the README file for information

Other

151 stars 57 forks source link

AccountController ForgotPassword should check the UserId before ResetPassword #804

Closed HaoK closed 6 years ago

HaoK commented 7 years ago

Moved from: https://github.com/aspnet/Home/issues/1911#issuecomment-275184195

Today we are passing in the userId from ForgotPassword: https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L282

But not using it when we reset: https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L321

We should check that the User with userId matches the user that is retrieved via FindByEmail as well.

cc @blowdart

Eilon commented 6 years ago

This issue was moved to aspnet/templating#96