samerton
commented
9 years ago Thanks, fixed in the latest commit. If you'd like to use this fix now, please replace the contents of your pages/forgot_password.php with this code
Closed zRiaz closed 9 years ago
samerton
commented
9 years ago Thanks, fixed in the latest commit. If you'd like to use this fix now, please replace the contents of your pages/forgot_password.php with this code
zRiaz
commented
9 years ago I changed it, but I still get "Your account is currently inactive. Did you request a password reset?"
samerton
commented
9 years ago If you're locked out of your admin account, you'll need to manually activate your account.
In order to do this, head into your MySQL database, for example in phpMyAdmin, and navigate to the "users" table. Find your user (if you're the first admin account, you'll be the first entry) and find the "active" column. The value needs to be changed from "0" to "1".
If you have another site admin account, you can ask them to go to your account in the "Users" tab of the AdminCP and click the "Validate User" button in the top right.
Uhm.. So basically, if you click on "Forgot Password" and type in someones username.. It sends them a password reset code/thing (that I do not receive due to emails not working) - And while that email gets sent the account gets inactivated.. "Your account is currently inactive. Did you request a password reset?" So basically; Anyone can lock people out from their accounts until they fix the password reset thing just by typing someone else's name in the Reset Password thing.
Would consider this a pretty critical bug.