- Issue created by @amartin_csm
- π³πΏNew Zealand quietone New Zealand
Fixes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies. Also, 10.2 is in security mode now.
Deleting a user account while requiring email confirmation creates a one time link that is emailed to the user. The one time login link uses the user last login date as part of it's hash, so if the user logs out the logs back in during the process, the link automatically invalidates.
* Create an account.
* Log in.
* Request to delete the account.
* Log out.
* Log back in.
* Click email link.
I can see the value in having `$account->getLastLoginTime()` for password resets, but don't understand why it would form part of the hash for
account deletion requests. I would suggest refactoring the one time password hashing method, so that there's an option to generate a hash without getLastLoginTime() for scenarios such as account deletion.
Yes
No
TBD
TBD
TBD
Needs work
11.0 π₯
Last updated
Fixes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies. Also, 10.2 is in security mode now.