Details
-
Type:
Bug
-
Status: RESOLVED
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 19.3
-
Fix Version/s: 20.0
-
Component/s: Reset Password & Account Validation
-
Labels:
-
19 status:Please Merge
-
12 status:Please Merge
-
Property addition/change required:Yes
-
Test Plan:
Description
SAK-42256 refactored reset-pass so that it would not leak information to the user about whether or not an account exists with the given email address.
However, we didn't notice that as a result of this work there is now a regression in that it doesn't report/validate on a sakai.property to reject attempts for certain account types. Unfortunately, we can't just restore this original functionality because that would be defeating the purpose of hardening the system to not expose undue information to a potential attacker.
To address this regression, we actually need to change the original implementation to be based off a sakai.property like invalidEmailInIdAccountString, which lists domains which are not allowed to use services like New Account, rather than a list of allowed user types (which forces us to resolve User objects in the back end to identify the user type, and reporting on this finding divulges information about if the account exists or not).
In this way, the domain can be checked before trying to resolve the User object, we can display some messaging about the domain being invalid or not allowed, and we don't leak any information about if the account exists or not (either via messaging, or by code analysis).
This is a significant change in behvaiour, and will necessitate removing old sakai.properties ("resetPass.resetAllRoles", "accountValidator.accountTypes.accept", and "resetRoles" which is the legacy version of the former), and introducing a new property to duplicate the "invalidEmailInIdAccountString" for Reset Password, so that institutions can define two separate lists of allowed domains, one for New Account and one for Reset Password.
Gliffy Diagrams
Zeplin
Attachments
Issue Links
- relates to
-
SAK-43419 Reset Password - Language string change
-
- RESOLVED
-