Closed
Bug 87589
Opened 23 years ago
Closed 23 years ago
User Accounts are created only when emailing the password !
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
People
(Reporter: Leufkes, Assigned: justdave)
Details
On my two BZ-Installations (2.10 and 2.13) a user account is created, when
entering a not existing eMail-adress and then click on "send me the password".
This is not the createaccount.cgi, but /query.cgi?GoAheadAndLogIn=1 which you
can reach by "Log out" and "log In". I think this is a bug (and a security
problem). Passwords of non existing users should not be send and the user
should not be created by default.
Assignee | ||
Comment 1•23 years ago
|
||
This is by design. If you have never used Bugzilla before and try to do
something that requires a password, it's much easier on the user if they get set
up on the spot than it is to make them go create an account from the main
createaccount system.
The only way I can see this as being a security problem is if you don't want new
accounts created at all (in which case you'd want createaccount.cgi disabled as
well).
I could swear we had another bug somewhere on creating an option to disable new
account creation, but I can't find it. I was going to mark this as a duplicate
of it. Perhaps it's only been discussed on the newsgroup or something. If that
really is what you had in mind, we can just morph this bug to cover that.
Is that what you had in mind, or did I miss the point?
Comment 2•23 years ago
|
||
I agree with the reporter's sentiment here. It only takes an unnoticed typo to
create an unneeded new account. In my opinion we should say that the account
does not exist, and give them a link to click on to create the account (with the
existing login name already stored). I wouldn't call that a "critical" problem
though.
Regarding the create account restriction issue, that is bug #86029.
Reporter | ||
Comment 3•23 years ago
|
||
Yes Dave, that is exactly what I want.
I have to add all new users personally, so I hide the createaccount.cgi on the
index.htm and the footer.
In my opinion to create an account or to send the password of an existing
account are very different. Perhaps a simple "Account does not exist, want to
create now ..." could help. I would prefer an option, that accounts should be
created by default or not. A hint that the account does not exist, should be
helpful anyway.
OK, I changed to normal ;-)
Severity: critical → normal
Assignee | ||
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Comment 4•23 years ago
|
||
In that case, this is a dupe. :) Matty, since it did stray from the original
topic here, you can file another bug for the typo-induced account creation thing.
*** This bug has been marked as a duplicate of 86029 ***
Assignee | ||
Comment 6•23 years ago
|
||
moving to Bugzilla product
reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE
Assignee: tara → justdave
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•