Provide a standard mechanism to determine whether a user's password can be reset.

Created on 16 February 2017, almost 8 years ago
Updated 28 August 2023, over 1 year ago

Motivation

It is desired by various issues (see below) to add a central mechanism for determining whether a user's password can be reset.

This would provide the facility to (allow contrib to):

This patch does not propose implementing the above ideas.

Proposed resolution

Standardize on a password reset access operation.

This operation does not affect existing password resets. It only affects password reset requests.

When a request for a user's password reset cannot be satisfied, the error should be vague and not leak the existence of the user, aka user enumeration .

User interface changes

None

API changes

None

Data model changes

None

Feature request
Status

Needs review

Version

11.0 🔥

Component
User module 

Last updated about 4 hours ago

Created by

🇦🇺Australia dpi Perth, Australia

Live updates comments and jobs are added and updated live.
  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024