[Bps-public-commit] rt-extension-resetpassword branch, master, updated. 0.05-2-g79512af

[Thomas Sibley]

The branch, master has been updated
       via  79512af84fe4b60a84ff9810d242cb4c51b3378d (commit)
       via  45f62e07bb1886a63d2da77a32f499b635f4ad39 (commit)
      from  9eddb5f5fd4bc2ab10dd466084a35c4b53eea61e (commit)

Summary of changes:
 html/NoAuth/ResetPassword/Request.html | 4 +++-
 lib/RT/Extension/ResetPassword.pm      | 7 ++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

- Log -----------------------------------------------------------------
commit 45f62e07bb1886a63d2da77a32f499b635f4ad39
Author: Christian Loos <cloos at netcologne.de>
Date:   Fri Jul 12 16:13:03 2013 +0200

    password reset only for user with password
    
    Without this a user without a password, who can't login, can get an reset token
    and then renerate an password which enables him to login.
    This gives the control which users can login out of the hand of the RT admin
    and is a kind if privilege escalation.

diff --git a/html/NoAuth/ResetPassword/Request.html b/html/NoAuth/ResetPassword/Request.html
index bb0982e..ca0fc17 100644
--- a/html/NoAuth/ResetPassword/Request.html
+++ b/html/NoAuth/ResetPassword/Request.html
@@ -64,7 +64,7 @@ my $title = loc("Reset your password");
 if ($ARGS{'Email'} ) {
     my $u = RT::User->new($RT::SystemUser);
     $u->LoadByCols(EmailAddress => $ARGS{'Email'});
-    if ($u->id) {
+    if ($u->id and $u->HasPassword) {
     my $token = Digest::MD5->new()->add( $u->id, $u->__Value('Password'),
     $RT::DatabasePassword, $u->LastUpdated, @{[$RT::WebPath]} . '/NoAuth/ResetPassword/Reset')->hexdigest();
 
@@ -86,6 +86,8 @@ RT::Interface::Email::MailError( To => $u->EmailAddress, From => $RT::OwnerEmail
 
 
 push @actions, loc("RT has sent you an email message with instructions about how to reset your password");
+} elsif ($u->id) {
+push @actions, loc("You can't reset your password as you don't already have one.");
 } else {
 push @actions, loc("RT couldn't find a user with that email address. Give it another try?");
 

commit 79512af84fe4b60a84ff9810d242cb4c51b3378d
Author: Christian Loos <cloos at netcologne.de>
Date:   Fri Jul 12 16:31:19 2013 +0200

    update description after 45f62e0

diff --git a/lib/RT/Extension/ResetPassword.pm b/lib/RT/Extension/ResetPassword.pm
index 81c7a03..c761a8d 100644
--- a/lib/RT/Extension/ResetPassword.pm
+++ b/lib/RT/Extension/ResetPassword.pm
@@ -7,9 +7,10 @@ our $VERSION = '0.05';
 This extension for RT adds a new "Forgot your password?" link to the front
 of your RT instance. Any user can request that RT send them a password
 reset token by email.  RT will send the user a one-time URL which he or
-she can use to reset her password. This extension allows _all_ users to
-reset their passwords by email. There isn't yet an option to only allow
-staff users or non-staff users to reset their passwords.
+she can use to reset her password. This extension allows only users that
+already have passwords reset their passwords by email.
+There isn't yet an option to only allow privileged or unpriviliged users
+to reset their passwords.
 
 =head1 INSTALL
 

-----------------------------------------------------------------------