[gatein-issues] [JBoss JIRA] Created: (GTNPORTAL-880) password recovery may change anyone's password

password recovery may change anyone's password ---------------------------------------------- Key: GTNPORTAL-880 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-880 Project: GateIn Portal Issue Type: Bug Security Level: Public (Everyone can see) Affects Versions: 3.0.0-GA Reporter: Patrice Lamarque It looks like anyone can change anyone else's password by using the forgot username function. A first annoyance is that you can easily lock the default root account like this : Sign in > Forgot Username / Password > Forgot My Password Enter 'root' Now try to login with root / gtn >> you can't. What Happened ? Gatein has generated a new password for root and sent it to the default email address which is.... root@localhost (!). Using this function anyone would be able to change anyone else password. The flow for password recovery should not regenerate a new password until the user has confirmed by clicking a generated URI in the email. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira