Defect #32192
closed
Do not allow to send a security notification when the user account is locked.
Added by Hinako Tajima about 5 years ago.
Updated about 5 years ago.
Description
I suggest that to add the function which if the account is locked, make disable to send security notifications.
アカウントがロック状態の場合はセキュリティメールの通知を無効にしてほしい。
I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?
Go MAEDA wrote:
I could not confirm the behavior that locked users get security notifications. Could you describe the steps to reproduce?
This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.
- Category set to Administration
Hinako Tajima wrote:
This situation happens Ver.3.4.10, when the administrator saved after changed his/her email address who is a locked account.
I have confirmed that the trunk behaves the same. I think the notification should be sent even to locked users in order to prevent a malicious admin from abusing.
If security notifications are not sent to a locked user, a malicious admin can stealthily change an active user's email address with the following steps:
1. Lock the user
2. Change the email address of the user
3. Unlock the user
To prevent such illegal operation, security notifications should be sent to locked users if their user account is updated.
- Subject changed from Do not allow to send a security mail when the user account is locked. to Do not allow to send a security notification when the user account is locked.
Go MAEDA wrote:
I think the notification should be sent even to locked users [...]
I agree.
- Status changed from New to Closed
- Resolution set to Wont fix
I am closing this as a "Wont fix" because the requested behavior change can be a security loophole.
Also available in: Atom
PDF