[5.x] Enable copy_reset_password_link for users with editPassword permission
#13364
+2
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
Without getting too far into the details, this security issue remains, so we won't be bringing it back. The person clicking on the "copy password reset link" action willingly isn't the problem. If XSS managed to get injected somehow, this action's endpoint's response - which contains the password reset url - was the problem. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've discovered an undocumented and likely forgotten feature. Since it would be useful for a project of mine, I propose reactivating it.
I noticed it was disabled some time ago due to a security concern: #9390.
I believe the security issue might have been that a user with the
sendPasswordResetpermission could elevate their privileges by copying the reset link from a higher-ranking user. However, I can't identify any functional difference for users witheditPasswordpermissions, so I guess we can "safely" activate it for users with such permissions. It also arguably way safer, than sending one-time passwords around.