Open SansPseudoFix opened 10 months ago
I would think that if you reissue your password, you should be able to log in.
Your deleted your account. But what is wrong with creating it again?
Yes, deletion should remove your data from sympa. If you want an account again, you should be able to recreate it later.
How to recreate your account is the same as how to create your account. How have you created your account at the first time?
I did not check the code but I guess that "I forgot my password" uses the same mechanisms than creating an account. So it recreates the account and looks like your account was not deleted.
To be confirmed.
@SansPseudoFix Could you try
Done.
log in and verify that you are not subscribed to any list
My account has no list in sympa/my
(and /sympa/serveradmin/users
doesn't find me, neither (which makes sense)).
My point, by creating this issue is: from a user point of view, it doesn't make sense to recreate an account by requesting a password reset.
"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.
"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.
I don’t agree with your suggestion.
If the GUI behavior changes depending on whether a particular account exists or not, an attacker can use it to know whether a particular person is registered or not.
In addition, a user who wants to use the GUI must first become a subscriber or an administrator of any list, without using the GUI.
The simplest fix could be to add a message on the "forgot password" screen saying something like:
If you don’t have an account on this server, asking for a new password will create a new account.
Version
6.2.72
Expected behavior
When you delete your account, you should not be able to reconnect to it by going through the password reset request. Your account should by actually deleted.
Actual behavior
When your account is deleted, you can reconnect by using password reset page.
Steps to reproduce
/sympa/pref
pagesympa/firstpasswd
pageAdditional information
Reported by a user who wanted his account deleted.