Dependency Graph

View IssueRelationship GraphHorizontalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0008123mantisbtadministrationpublic2007-07-03 08:252008-06-17 02:44
ReporterFrank IJskes Assigned Togiallu  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.7 
Fixed in Version1.1.2 
Summary0008123: Adding a user requires "$g_lost_password_feature = ON"
Description

After adding a new user, he needs to set a password. He receives a link to do this, and clicking this generates the error:

APPLICATION ERROR #1900

The 'lost your password' feature is not available.

Steps To Reproduce

toggle the $g_lost_password_feature = ... in config_defaults_inc.php to enable or disable this problem.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0008520 closedgiallu Following 'reset password' link gives error 

Activities

seiji

seiji

2007-11-03 06:18

reporter   ~0016072

Last edited: 2007-11-03 06:51

This issue has reproduced in 1.1.0rc2.

In verify.php 31L

replace 

if( OFF == config_get( 'lost_password_feature' ) ||
    OFF == config_get( 'send_reset_password' ) ||
    OFF == config_get( 'enable_email_notification' ) ) {

with

if( <b>(</b> OFF == config_get( 'lost_password_feature' ) <b>&&</b>
    OFF == config_get( 'send_reset_password' ) <b>)</b> ||
    OFF == config_get( 'enable_email_notification' ) ) {
    trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR );
}

This will fix 0008520
vboctor

vboctor

2007-11-05 03:23

manager   ~0016085

I don't think I agree with the change. I am thinking of dropping this if statement completely. If a user is using verify.php then he/she already received the email, hence, not much use of checking email settings. We can't also check for lost password setting since verify is also used during signup.
seiji

seiji

2007-11-05 05:39

reporter   ~0016088

Now that I stop to think about it, you are right.
It is better to drop it.
tk

tk

2008-05-19 04:19

reporter   ~0017870

As far as I can see no change regarding this issue has been made in verify.php shipped with 1.2.0a1.
Are there any plans when to fix this security related issue?
giallu

giallu

2008-05-21 04:32

reporter   ~0017888

Fixed in both trunk and 1.1.X branch (will show in 1.1.2 and 1.2.0a2)

Related Changesets

MantisBT: master-1.1.x 8045fa17

2008-05-21 04:29

giallu


Details Diff		 Fix 08123: Adding a user requires "$g_lost_password_feature = ON".

This also fixes 8520

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5274 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		 Affected Issues
0008123, 0008520
mod - verify.php Diff File

MantisBT: master c94c6fda

2008-05-21 04:30

giallu


Details Diff		 Fix 8123: Adding a user requires "$g_lost_password_feature = ON"

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5275 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		 Affected Issues
0008123
mod - verify.php Diff File