User cancel confirmation link becomes invalid if user logs out then back in during the process.

Created on 27 June 2024, about 1 year ago

Updated 3 July 2024, about 1 year ago

Problem/Motivation

Deleting a user account while requiring email confirmation creates a one time link that is emailed to the user. The one time login link uses the user last login date as part of it's hash, so if the user logs out the logs back in during the process, the link automatically invalidates.

Steps to reproduce

* Create an account.
* Log in.
* Request to delete the account.
* Log out.
* Log back in.
* Click email link.

Proposed resolution

I can see the value in having `$account->getLastLoginTime()` for password resets, but don't understand why it would form part of the hash for
account deletion requests. I would suggest refactoring the one time password hashing method, so that there's an option to generate a hash without getLastLoginTime() for scenarios such as account deletion.

Remaining tasks

Yes

User interface changes

API changes

TBD

Data model changes

TBD

Release notes snippet

TBD

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

User module →

Last updated 3 days ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

amartin_csm

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @amartin_csm
Comment about 1 year ago →
🇳🇿New Zealand quietone
Fixes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies. Also, 10.2 is in security mode now.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024