[ckan-changes] [ckan/ckan] 2e5bc9: Password reset request - generally tighten it up
GitHub
noreply at github.com
Fri Jan 25 13:46:29 UTC 2019
Branch: refs/heads/security_dont_confirm_if_user_exists_2
Home: https://github.com/ckan/ckan
Commit: 2e5bc9bb17ac45e0a876290bee5818db94a3d3c7
https://github.com/ckan/ckan/commit/2e5bc9bb17ac45e0a876290bee5818db94a3d3c7
Author: David Read <david.read at hackneyworkshop.com>
Date: 2019-01-25 (Fri, 25 Jan 2019)
Changed paths:
M ckan/logic/action/get.py
M ckan/logic/auth/get.py
M ckan/templates/user/request_reset.html
M ckan/tests/controllers/test_user.py
M ckan/tests/logic/action/test_get.py
M ckan/tests/logic/auth/test_get.py
M ckan/views/user.py
Log Message:
-----------
Password reset request - generally tighten it up
* Can only specify name or email not - not the looser search done by model.User.search()
which allowed: partial name, partial fullname (and if sysadmin: partial emails) etc
(This was originally loose to be helpful, but the balance with security changed)
* Don't confirm whether a user exists or not
* Logging for audit purposes
**NOTE:** GitHub Services has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
We will provide an alternative path for the email notifications by January 31st, 2019.
More information about the ckan-changes
mailing list