[ckan-changes] [ckan/ckan] 2e5bc9: Password reset request - generally tighten it up

GitHub noreply at github.com
Fri Jan 25 13:46:29 UTC 2019

  Branch: refs/heads/security_dont_confirm_if_user_exists_2
  Home:   https://github.com/ckan/ckan
  Commit: 2e5bc9bb17ac45e0a876290bee5818db94a3d3c7
  Author: David Read <david.read at hackneyworkshop.com>
  Date:   2019-01-25 (Fri, 25 Jan 2019)

  Changed paths:
    M ckan/logic/action/get.py
    M ckan/logic/auth/get.py
    M ckan/templates/user/request_reset.html
    M ckan/tests/controllers/test_user.py
    M ckan/tests/logic/action/test_get.py
    M ckan/tests/logic/auth/test_get.py
    M ckan/views/user.py

  Log Message:
  Password reset request - generally tighten it up

* Can only specify name or email not - not the looser search done by model.User.search()
  which allowed: partial name, partial fullname (and if sysadmin: partial emails) etc
  (This was originally loose to be helpful, but the balance with security changed)
* Don't confirm whether a user exists or not
* Logging for audit purposes

      **NOTE:** GitHub Services has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      We will provide an alternative path for the email notifications by January 31st, 2019.

More information about the ckan-changes mailing list