taiga: make password recovery impossible for passwordless users#239
Open
mgrzeschik wants to merge 1 commit into
Open
taiga: make password recovery impossible for passwordless users#239mgrzeschik wants to merge 1 commit into
mgrzeschik wants to merge 1 commit into
Conversation
…sers By testing if the user has a valid password set in the first place, it is possible to prevent setting one for other authentication schemes.
mgrzeschik
force-pushed
the
passwordlessrecovery
branch
from
da7af6e to
7f1a28a
Compare
Author
|
Just removed the change password code part, since it is a whole other story. Changing the password is already prevented for passwordless logings, since no password will ever match for the change to begin with. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a short fix to prevent users with no active password set for the used login scheme
to recover the password and therefor gain a second pair of login credentials.
This scenario can be a possible loophole to gain back access for users that where disabled
by LDAP e.g.