Closed Bug 87589 Opened 23 years ago Closed 23 years ago

User Accounts are created only when emailing the password !

Categories

(Bugzilla :: Bugzilla-General, defect)

x86
Windows 2000
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 86029

People

(Reporter: Leufkes, Assigned: justdave)

Details

On my two BZ-Installations (2.10 and 2.13) a user account is created, when entering a not existing eMail-adress and then click on "send me the password". This is not the createaccount.cgi, but /query.cgi?GoAheadAndLogIn=1 which you can reach by "Log out" and "log In". I think this is a bug (and a security problem). Passwords of non existing users should not be send and the user should not be created by default.
This is by design. If you have never used Bugzilla before and try to do something that requires a password, it's much easier on the user if they get set up on the spot than it is to make them go create an account from the main createaccount system. The only way I can see this as being a security problem is if you don't want new accounts created at all (in which case you'd want createaccount.cgi disabled as well). I could swear we had another bug somewhere on creating an option to disable new account creation, but I can't find it. I was going to mark this as a duplicate of it. Perhaps it's only been discussed on the newsgroup or something. If that really is what you had in mind, we can just morph this bug to cover that. Is that what you had in mind, or did I miss the point?
I agree with the reporter's sentiment here. It only takes an unnoticed typo to create an unneeded new account. In my opinion we should say that the account does not exist, and give them a link to click on to create the account (with the existing login name already stored). I wouldn't call that a "critical" problem though. Regarding the create account restriction issue, that is bug #86029.
Yes Dave, that is exactly what I want. I have to add all new users personally, so I hide the createaccount.cgi on the index.htm and the footer. In my opinion to create an account or to send the password of an existing account are very different. Perhaps a simple "Account does not exist, want to create now ..." could help. I would prefer an option, that accounts should be created by default or not. A hint that the account does not exist, should be helpful anyway. OK, I changed to normal ;-)
Severity: critical → normal
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
In that case, this is a dupe. :) Matty, since it did stray from the original topic here, you can file another bug for the typo-induced account creation thing. *** This bug has been marked as a duplicate of 86029 ***
Verified, and filed bug #87779.
Status: RESOLVED → VERIFIED
moving to Bugzilla product reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE
Assignee: tara → justdave
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.