FOSUserBundle icon indicating copy to clipboard operation
FOSUserBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Reset password access while logged in as a different user

Open darrylhein opened this issue 8 years ago • 1 comments

Ability to reset a password for the user other than the currently logged in user.

Steps to reproduce:

  1. (not logged in) Request reset for user A.
  2. Login as user B.
  3. Click reset for user A.
  4. You'll be taken to the reset form, but submitting the form will reset the password for user A (even though currently logged in as B).

I wouldn't call this a security issue, but it could be confusing for the user. I'm not sure what the best solution is:

  1. Show a message/warning/alert and: a. don't allow them to use the form, or b. allow them, but tell them their resetting the password for another user.
  2. Log them out and send them to the reset form/page.
  3. Redirect them to the login form (then redirect to their default page?).
  4. ...or?

But maybe it's not a issue worth dealing with (since it'd likely be rare as you'd need 2 accounts, etc).

Using 2.0.0-beta1

darrylhein avatar Jan 13 '17 22:01 darrylhein

The issue is probably related to: #2298

ethernal avatar Feb 15 '17 15:02 ethernal