View Issue Details

IDProjectCategoryView StatusLast Update
0026884mantisbtadministrationpublic2021-03-07 18:29
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.25.0Fixed in Version2.25.0 
Summary0026884: Misleading e-mail notification following password reset by admin
Description

When a user's password is reset by an administrator - either via manage_user_reset.php page, or with REST API (since 0026632), they are sent the following notification by e-mail:

Someone (presumably you) requested a password change through e-mail
verification. If this was not you, ignore this message and nothing will happen.

If you requested this verification, visit the following URL to change your
password:

http://example.com/mantis/verify.php?id=USER_ID&confirm_hash=HASH

Username: USERNAME
Remote IP address: xxx.xxx.xxx.xxx

Do not reply to this message

That message only makes sense when using the Lost password functionality. In the context of a password reset by an admin, it is misleading, for the following reasons

  1. Saying ignore this message and nothing will happen is wrong - the password reset command (UserResetPasswordCommand) calls user_reset_password(), which actually generates and stores a new random password, before sending the notification (via email_send_confirm_hash_url() function), so the user effectively cannot login with their previous password anymore, and must reset it with the given link.
  2. Considering that resetting a user's password requires a privileged account having manage_user_threshold , the statements Someone (presumably you) requested a password change and If you requested this verification are most likely incorrect, because the administrator is unlikely to use the reset password feature for their own account.

A specific notification text should be used for the password reset by admin case.

TagsNo tags attached.

Relationships

related to 0026632 closedcommunity Support user password reset via REST API 

Activities

Related Changesets

MantisBT: master e118e8e8

2020-04-15 15:36

dregad


Details Diff
Specific notification for password reset by admin

The email notification sent when password is reset by an administrator
was misleading, implying that it can be ignored when in fact it should
not as the password has effectively been changed to a random one. If the
user does not reset their password, they will not be able to login.

This commit avoids confusion caused by the misleading message, by
sending a specific notification for password resets by admin.

A new $p_reset_by_admin optional parameter, defaulting to false, was
added to email_send_confirm_hash_url() function, allowing it to be used
for resets by user (lost password feature) also.

Fixes 0026884
Affected Issues
0026884
mod - core/email_api.php Diff File
mod - core/user_api.php Diff File
mod - lang/strings_english.txt Diff File