Deleted user can recover their password and that's a bad thing

VERIFIED FIXED in 5.11.8

Status

P3
normal
VERIFIED FIXED
9 years ago
3 years ago

People

(Reporter: clouserw, Assigned: davedash)

Tracking

unspecified
5.11.8
Dependency tree / graph

Details

(Reporter)

Description

9 years ago
Because of the awkward relationship between `users` and `auth_user`, anonymizing a user will clear out the `users` table, but not `auth_user`.  Password recovery comes from `auth_user`, so their email is still in there and is sent back to them.

Those two tables need to be cleaned up.
(Reporter)

Updated

9 years ago
Depends on: 558514
(Reporter)

Updated

9 years ago
Target Milestone: 4.x (triaged) → 5.11.8
(Reporter)

Updated

9 years ago
Duplicate of this bug: 584845
(Reporter)

Updated

8 years ago
Assignee: nobody → dd
Summary: Deleted user can recover their password → Deleted user can recover their password and that's a bad thing
(Reporter)

Updated

8 years ago
Blocks: 588536
http://github.com/jbalogh/zamboni/commits/99e1ad8
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Comment 3

8 years ago
STR:
1.From the admin panel,make an existing user -anonymous
2.Go for Forgot password page.
3.Enter the email of that user

observed behavior:
"That e-mail address doesn't have an associated user account. Are you sure you've registered?" is displayed.

verified
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.