Defect #32192

Do not allow to send a security notification when the user account is locked.

Added by Hinako Tajima about 1 year ago. Updated about 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Administration
Target version:-
Resolution:Wont fix Affected version:

Description

I suggest that to add the function which if the account is locked, make disable to send security notifications.

アカウントがロック状態の場合はセキュリティメールの通知を無効にしてほしい。

History

#1 Updated by Go MAEDA about 1 year ago

I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?

#2 Updated by Hinako Tajima about 1 year ago

Go MAEDA wrote:

I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?

This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.

#3 Updated by Go MAEDA about 1 year ago

  • Category set to Administration

Hinako Tajima wrote:

This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.

I have confirmed that the trunk behaves the same. I think the notification should be sent even to locked users in order to prevent a malicious admin from abusing.

If security notifications are not sent to a locked user, a malicious admin can stealthily change an active user's email address with the following steps:

1. Lock the user
2. Change the email address of the user
3. Unlock the user

To prevent such illegal operation, security notifications should be sent to locked users if their user account is updated.

#4 Updated by Go MAEDA about 1 year ago

  • Subject changed from Do not allow to send a security mail when the user account is locked. to Do not allow to send a security notification when the user account is locked.

#5 Updated by Mischa The Evil about 1 year ago

Go MAEDA wrote:

I think the notification should be sent even to locked users [...]

I agree.

#6 Updated by Go MAEDA about 1 year ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

I am closing this as a "Wont fix" because the requested behavior change can be a security loophole.

Also available in: Atom PDF