View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002977 | mantisbt | security | public | 2003-02-20 12:35 | 2014-11-07 15:03 |
Reporter | ancpru | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | always |
Status | new | Resolution | reopened | ||
Summary | 0002977: Security - User-Logging | ||||
Description | Some kind of user-logging would be nice, e.g. User XYZ added bug and so on. Some nice people played around at my site, added themself as user, then changed the user name and their e-mail to bill.gates@microsoft.com or other strange entries. It would be nice to be able to track it down at the original login (e-mail address). One additional possibility would IMO be to send a new generated password when someone enters a new e-mail-address in their user-settings. | ||||
Tags | No tags attached. | ||||
This feature is implemented as far as bug modifications is concerned. There is no logging of other activities. Also if a bug is deleted, you lose its history!. This is implemented in 0.18.0a2. BTW, you did not specify which version of Mantis you are using. |
|
What about if we just send confirmation mails to the new address, and require the user to confirm? |
|
Sorry - forgot the specify the version. it's 0.17.5 Well, yes. a confirmation mail to the new address would be nice, or a new generated password. Is it 0.18.0a2 OK for a production environment? Any drawbacks? However, a little bit more logging (quite simple stuff like user did this or that) would be nice. BTW, is there a option to disable the ability to change the user-name? |
|
0.18.0a2 is pretty stable, but the official stable release is still 0.17.5. Of course, that's also because we still need to update documentation. Change username? Or email? |
|
IMO the user-name should stay stable (option?). |
|
You used to be able to change the username which I thought was odd too. User's can no longer do this in the CVS code, only administrators. I'm a little reluctant to force the user's password to be reset every time they change their email. But I do see the possibility for abuse there. sigh why are people so lame? |
|
Don't reset the password, just let them confirm the email address by clicking on some link. We can also implement a 'forgot password' in much the same way, only you'd change the password and not the email address. |
|
So, if you just require the user to click on a link in the email, to confirm a new email address, I guess that means account would need to be disabled. How would the confirmation work? -Change email addy in my account In this way, the code would be fairly generic, I think. Does this sound about right? |
|
I believe that this is fixed in 0.19rc1 with the addition of the send_reset_password feature. |
|
having a send reset password page, doesn't alter whether or not we should have a log of when someone logged in, how often they log in, whether they added a bug, when they logged out etc. Therefore, while we've addressed getting locked out of an account it doesn't address the original question imo. I.e. if someone were to hack into an acconut and log in, it might be nice to be able to see what bugs the 'hacker' resolved/deleted etc, so that they could be recovered. |
|