Closed Bug 264122 Opened 20 years ago Closed 20 years ago

mailing lists as pseudo users: "I lost my password..."

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: harlan+bugzilla.com, Assigned: myk)

Details

User-Agent:       Mozilla/5.0 Galeon/1.2.10 (X11; Linux i686; U;) Gecko/20030314
Build Identifier: Mozilla/5.0 Galeon/1.2.10 (X11; Linux i686; U;) Gecko/20030314

We have a mailing list set up for bug reports.  We decided we needed to create a
bugzilla account and probably hacked something to have this "user" be auto-cc'd
on all bug traffic.  I think we discovered we had to create a bugzilla account
for this list in order for this to work.

The problem is: what happens if somebody clicks the 'I forgot my password' link?
In this case, bugzilla will send the URL to the list, and somebody can then
log in via that link and mess us up.

Is there a better way to solve this problem?  We're curently running 2.16.something.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
disable the account. (put something in "disabledtext" on the account).

Right now, that still sends mail.  That someday may change, but it's a safe
thing to do right now.  It's a common enough usage there will probably be some
provision to support accounts that aren't allowed to log in but still get mail
in the future.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.