Defect #32192
closed
Do not allow to send a security notification when the user account is locked.
0%
Description
I suggest that to add the function which if the account is locked, make disable to send security notifications.
アカウントがロック状態の場合はセキュリティメールの通知を無効にしてほしい。
Updated by Go MAEDA over 4 years ago
I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?
Updated by Hinako Tajima over 4 years ago
Go MAEDA wrote:
I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?
This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.
Updated by Go MAEDA over 4 years ago
- Category set to Administration
Hinako Tajima wrote:
This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.
I have confirmed that the trunk behaves the same. I think the notification should be sent even to locked users in order to prevent a malicious admin from abusing.
If security notifications are not sent to a locked user, a malicious admin can stealthily change an active user's email address with the following steps:
1. Lock the user
2. Change the email address of the user
3. Unlock the user
To prevent such illegal operation, security notifications should be sent to locked users if their user account is updated.
Updated by Go MAEDA over 4 years ago
- Subject changed from Do not allow to send a security mail when the user account is locked. to Do not allow to send a security notification when the user account is locked.
Updated by Mischa The Evil over 4 years ago
Go MAEDA wrote:
I think the notification should be sent even to locked users [...]
I agree.
Updated by Go MAEDA over 4 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
I am closing this as a "Wont fix" because the requested behavior change can be a security loophole.