[dokuwiki] Re: [bug] send new password without confirmation
- From: Jeremy <stealth702@xxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 11 Nov 2005 11:39:44 -0500
On 11/11/05, Chris Smith <chris@xxxxxxxxxxxxx> wrote:
> Jeremy wrote:
> > On 11/11/05, Chris Smith <chris@xxxxxxxxxxxxx> wrote:
> >
> >> What is your (anyone's)
> >> suggestion to make this less open to abuse?
> >>
> > well, they should know their full name or email address. once of the two.
> >
> I don't think they make a huge difference. If you use a normal dokuwiki
> signature and sign your contributions with it, your full name and
> registered email address will be publicly available.
Right, but only a registered user who posts would see that.. so unless
you knew the old password and could make a post to see the full name
and address, you might not know what those values are.
If i don't know your password then i can't make a post as you to find
out your email address. But, right now I can change your password and
then figure it out. If, in order to change the password, i had to
know the email address, then I would be out of luck.
Or, instead of having it changed on the fly, have the user enter the
username AND the email address and if they match then it would send
them a new random password, then they could log in and change it.
Instead of doing it at the login page.
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
