Ticket #3989 (closed defect: fixed)

Opened 5 years ago

Last modified 2 years ago

Email verification reqired and password reset with notification effectively disabled locking users

Reported by: olaf.meeuwissen@avasys.jp Assigned to: hasienda
Priority: high Component: AccountManagerPlugin
Severity: normal Keywords: user lock notification verify email password reset
Cc: sagar.behere@gmail.com Trac Release: 0.11

Description

I effectively locked myself out by changing my email address via the preferences for a project that used the default notification.smtp_enabled value of false. It would probably a good idea to disable email verification in that case because the verification message never comes.

Attachments

acct_mgr-r4679-no-verify-without-smtp.patch (0.8 kB) - added by otaku42 on 11/26/08 21:37:12.

Change History

10/29/08 07:34:09 changed by pacopablo

  • owner changed from mgood to pacopablo.
  • status changed from new to assigned.
  • release changed from 0.10 to 0.11.
  • priority changed from normal to high.

Agreed. The quick fix is to set: 

[components]
acct_mgr.web_ui.EmailVerificationModule = disabled

in trac.ini and restart your webserver.

I'll work on a better fix soon.

11/26/08 21:37:12 changed by otaku42

  • attachment acct_mgr-r4679-no-verify-without-smtp.patch added.

(follow-up: ↓ 5 ) 11/26/08 21:40:03 changed by otaku42

The attached patch disables e-mail verification if [notification] smtp_enabled is not set to True. It applies to trunk, r4679. I have lightly tested it with Trac 0.11.2.

09/26/10 15:48:29 changed by hasienda

  • cc set to sagar.behere@gmail.com.
  • keywords set to user lock notification verify email password reset.
  • summary changed from email verification assumes notification is enabled to Email verification reqired and password reset with notification effectively disabled locking users.

As #7187 suggests there is a similar issue with changing passwords without notification disabled.

This requires an additional fix.

10/10/10 23:53:18 changed by hasienda

(In [9277]) AccountManagerPlugin: Enforce email verification, closes #5509.

These are the changes provided by izzy and updated by dake, just slightly modified to better fit to surrounding code. We still need to take care for a possible dead-lock situation, when notification is disabled, refs #3989.

(in reply to: ↑ 2 ) 10/16/10 03:19:57 changed by hasienda

  • owner changed from pacopablo to hasienda.
  • status changed from assigned to new.

Replying to otaku42:

The attached patch disables e-mail verification if [notification] smtp_enabled is not set to True. It applies to trunk, r4679. I have lightly tested it with Trac 0.11.2.

To properly take care of this issue, we'll need to keep checking for (un)availability of AnnouncerPlugin in mind as well.

06/12/11 21:48:18 changed by hasienda

(In [10284]) AccountManagerPlugin: Don't start email verification without email setup, refs #3989.

The basic check currently includes TracNotification and TracAnnouncer. Any verification in-process is still expected to be finished in order to lift restricted permissions for this user.

And I remove some debug logging that has been committed unintentionally before.

06/21/11 20:53:14 changed by hasienda

  • status changed from new to assigned.

As AcctMgr has now way to check, if the email setup is functional, this is the best that could be done now.

So I recommend to go with this solution at least for the next release, even if it feels a little clumsy. Enhancement by smarter code is always appreciated.

07/07/11 22:11:23 changed by hasienda

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [10393]) AccountManagerPlugin: Releasing version 0.3, pushing development to 0.4.

This new feature release finally propagates a number of solutions into an official release, after some time of testing with trunk, so explicitely closes #442, #816, #2966, #3989, #4160, #6821, #7111, #8534, #8549, #8663, #8813, #8892, #8925, #8936 and #8939.

Should have made this months ago, but felt so many pending issues were too bad for a new release. But it has been a tremendous ticket burndown since last year, so it's really worth considering an upgrade now. See fresh changelog for details.

07/07/11 23:10:25 changed by hasienda

(In [10395]) AccountManagerPlugin: Releasing version 0.3, pushing development to 0.4.

This new feature release finally propagates a number of solutions into an official release, after some time of testing with trunk, so explicitely closes #442, #816, #2966, #3989, #4160, #6821, #7111, #8534, #8549, #8663, #8813, #8892, #8925, #8936 and #8939.

Should have made this months ago, but felt so many pending issues were too bad for a new release. But it has been a tremendous ticket burndown since last year, so it's really worth considering an upgrade now. See fresh changelog for details.

08/02/11 00:04:36 changed by hasienda

(In [10519]) AccountManagerPlugin: Make option verify_email effective for RegistrationModule too, refs #3153, #3989, #5509 and #9051.

Only module state (enabled/disabled) has been checked before, when deciding on the email address field being optional vs. required since changeset [9304].

Add/Change #3989 (Email verification reqired and password reset with notification effectively disabled locking users)




Change Properties
Action